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Preface 



Overview 



Introduction 



This guide is designed to help you use BlacklCE PC Protection to protect the software and 
data on your computer. 

BlacklCE PC Protection is a powerful tool for defending your computer from intruders. 
BlacklCE analyzes the electronic traffic going in and out of your computer and uses that 
information to build a dynamic firewall that protects your computer from harmful 
intrusions. 



Scope 



This guide describes the features of BlacklCE PC Protection and shows you how to use 
them. 



• Chapter 1 explains how BlacklCE protects your computer and describes the 
information you can learn from the program. 

• Chapter 2 provides detailed procedures for configuring BlacklCE for your particular 
circumstances. 

• Appendixes A through E describe the screens and dialog boxes you can use to control 
BlacklCE PC Protection. 

This guide does not include installation information. For information about getting 
started with BlacklCE PC Protection, see the BlacklCE PC Protection Getting Started Guide. 
The Getting Started Guide is available in two ways: 

• If you purchased BlacklCE in a box, the Getting Started Guide booklet is included in 
your box. 

• If you downloaded BlacklCE, you can download the Getting Started Guide as a PDF 
file from www. iss .net. 



Audience 



This guide is intended for the moderately experienced home PC user. If you can install 
and uninstall an application on your Windows computer, you will be able to use this 
book. 



What's new in this 
guide 



This guide is for BlacklCE PC Protection, version 3.6. The previous version of this 
software was known as BlacklCE PC Protection, version 3.5. 

BlacklCE PC Protection 7.0 includes the newly integrated Protocol Analysis Module 
(PAM), based on a combination of RealSecure intrusion detection with BlacklCE 
technology. PAM uses a combination of sophisticated application-level protocol analysis 
and 7-layer pattern-based detection technologies. PC Protection 7.0 also improves the 
usability of the Application Protection Module (APM), and incorporates bug fixes. These 
features and fixes provide a more complete PC Protection that is easier to use. 
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Chapter 2: 



Using this guide Use this guide to help you configure and work with BlacklCE PC Protection. To get the 
most effective protection possible, follow the steps provided in Chapter 2 to configure 
BlacklCE. The instructions are designed to be followed in the order given, but you can 
skip any step without endangering your system. 

Related publications For detailed information about customizing your installation of BlacklCE PC Protection, 
see the BlacklCE Advanced Administration Guide, available for download from www.iss.net. 
The Advanced Administation Guide is designed for experienced computer users. 

For information about installing BlacklCE and performing basic configuration, see the 
BlacklCE PC Protection Getting Started Guide. You can download the Getting Started Guide 
from www. iss .net. 
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Conventions Used in this Guide 



Used in this Guide 

This topic explains the typographic conventions used in this guide to make information in 
procedures and commands easier to recognize. 

The typographic conventions used in procedures are shown in the following table: 



Convention 


What it Indicates 


Examples 


Bold 


An element on the graphical 
user interface. 


Type the computer's 
address in the IP Address 

box. 

Select the Print check box. 
Click OK. 


SMALL CAPS 


A key on the keyboard. 


Press ENTER. 

Press the plus sign (+). 


Constant 
width 


A file name, folder name, 
path name, or other 
information that you must 
type exactly as shown. 


Save the User . txt file m 
the Addresses folder. 
Type IUSR SMA in the 
Username box. 


Constant 

width 

italic 


A file name, folder name, 
path name, or other 
information that you must 
supply. 


Type Version number in 
the Identification 
information box. 




A sequence of commands 
from the taskbar or menu bar. 


From the taskbar, select 

Start^Run. 

On the File menu, select 

Utilities-^Compare 

Documents. 



Table 1 : Typographic conventions for procedures 



Command The typographic conventions used for command lines are shown in the following table: 

conventions 



Convention 


What it Indicates 


Examples 


Constant 
width bold 


Information to type in exactly 
as shown. 


md ISS 


Italic 


Information that varies 
according to your 
circumstances. 


md your folder name 


[] 


Optional information. 


dir [drive:] [path] 
[filename] [/P] [/W] 
[/D] 


I 


Two mutually exclusive 
choices. 


verify [ON OFF] 


{} 


A set of choices from which 
you must choose one. 


% chmod {u g o 

a}= [r] [w] [x] file 



Table 2: Typographic conventions for commands 



Conventions 

Introduction 



In procedures 
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Getting Help 



Introduction 



You can find detailed information about using BlacklCE by using the Help, downloading 
documents from ISS, or requesting technical support. 



BlacklCE Help 



To access the online Help, do one of the following: 

• On the menu bar, select Help - ^ BlacklCE Help Topics. 

• In any window, click Help. 

• On a BlacklCE configuration tab, click the question mark in the upper right corner, 
then click any screen option for a quick explanation of its use. 



From the Web site For the latest information about BlacklCE PC Protection, go to http:// 

www.blackice. iss .net . Here you can search the following online resources: 

• ISS Knowledge Base, which contains answers to frequently asked questions (FAQs) 

• product documentation 

• product updates and upgrade information 



Technical Support 



For technical support, send email to support -Ll@networkice . com or search our 
extensive online resources to find quick answers to your technical support questions. 

Telephone support is not available for BlacklCE PC Protection. 



Terminology 



For a glossary of terms used in this guide, refer to http : //www, iss .net . 



Q internet | Security | Systems'* 



Chapter 1 

Introduction to BlacklCE PC Protection 

Overview 

Introduction This chapter describes the basic concepts for working with BlacklCE PC Protection. 

BlacklCE PC Protection is a comprehensive personal computer security solution that 
helps you protect your computer from: 

• theft of passwords, credit card information, personal files and more 

• computer downtime and system crashes 

• attempts to use your computer to attack other systems 

In this chapter This chapter contains the following topics: 



Topic 


Page 


Protection Levels 


3 


The BlacklCE Firewall 


5 


Application Protection 


6 


Application Control 


7 


Communications Control 


8 


Understanding BlacklCE Alerts 


9 


Collecting Information 


11 


Filtering Information 


12 
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Chapter 1 : Introduction to BlacklCE PC Protection 



Intrusion detection BlacklCE PC Protection includes an intrusion detection system that alerts you to attacks 
and blocks threats to your computer. BlacklCE captures information about the attacker 
and logs suspicious activity which preserves evidence of the attack. 



Firewall capabilities BlacklCE PC Protection provides powerful firewall capabilities that go far beyond 
traditional firewall functionality. The BlacklCE firewall inspects all inbound and 
outbound traffic on your computer the network segment where it is deployed for 
suspicious activity. BlacklCE blocks unauthorized activity without affecting normal 
traffic. 



Application BlacklCE PC Protection prevents unauthorized applications from harming your computer 

Protection or other computers on a network. Application Protection consists of two features: 

• Application Control: Helps you prevent unknown and possibly destructive 
applications from damaging your computer. When you suspect an application may 
have been modified, Application Control lets you decide whether to let it start. 
BlacklCE PC Protection goes beyond the capabilities of other products by preventing 
unauthorized applications from starting other applications or services. 

• Communications Control: Helps you prevent unauthorized applications from 
communicating on the Internet. This can even prevent intruders from using your 
computer to start attacks against other systems. It does this by letting you control 
which applications have access to a local network or the Internet. 



2 
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Protection Levels 



Protection Levels 



Introduction Protection levels are pre-designed sets of security settings for different types of Web use. 

You can choose to have BlacklCE block all communications with your computer, some 
communications with your computer, or no communications with your computer. You 
can change protection levels at any time. 



How protection Protection levels modify your firewall by closing some of the software links, or ports, that 

levels work your computer uses to receive communications from other computers. The more 

restrictive the protection level, the more ports are blocked. 

It's a good idea to get to know which applications use which ports to do their jobs. Some 
ports and protocols are more prone to abuse than others. Choosing a preset protection 
level is a good start. As you get more familiar with the particular risks your systemfaces, 
you can fine-tune your defenses according to your needs. 



Protection level Paranoid: BlacklCE blocks all unsolicited inbound traffic. Very restrictive, but useful if 

definitions your system faces frequent or repeated attacks. This setting may restrict some Web 

browsing and interactive content. 

Nervous: BlacklCE blocks all unsolicited inbound traffic except for some interactive 
content on Web sites (such as streaming media). Preferable if you are experiencing 
frequent intrusions. 

Cautious: BlacklCE blocks unsolicited network traffic that accesses operating system and 
networking services. Good for regular use of the Internet. This is the default protection 
level setting. 

Trusting: All ports are open and unblocked and all inbound traffic is allowed. Acceptable 
if you have a minimal threat of intrusions. 



How protection 
levels affect 
applications 



This table shows how the protection levels affect some representative applications: 



Level 


Blocked 


Configurable 


Not Blocked 


Paranoid 


IRC file transfer (DCC) 

NetMeeting 

PC Anywhere 

ICQ 


Quake (ll/lll) 
Internet Phone 
Net2Phone 


FTP file transfers 
Sending/receiving email 
Real Audio 
IRC Chat 


Nervous 


IRC file transfer (DCC) 
NetMeeting 


ICQ 

Internet Phone 
Net2Phone 


All of the above, plus PC 
Anywhere, Quake (11,111) 


Cautious 


Unsolicited traffic that 
accesses operating 
system and networking 
services 


None 


All of the above, plus IRC 
file transfer (DCC) 

NetMeeting 


Trusting 


None 


None 


All inbound traffic 
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Note: To use an application that is blocked under a selected protection level, use the 
Advanced Firewall Settings feature to open the ports the application uses. For more 
information on opening ports, see "Blocking a Port" on page 18. 
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The BlacklCE Firewall 



The BlacklCE Firewall 

Introduction BlacklCE automatically stops most intrusions according to the protection level you have 

chosen, but you still may notice activity that isn't explicitly blocked. You can configure the 
BlacklCE firewall to increase your protection. You can block intrusions from a particular 
address, or you can block intrusions that use a particular protocol. 

Protocol analysis The BlacklCE firewall works by recognizing the special languages computers use to 
communicate. For example, your browser receives messages encoded in Hypertext 
Transfer Protocol (HTTP) from the Web. These information packets are usually received 
through port 80. When BlacklCE detects traffic coming in through port 80 that is not 
correctly encoded in HTTP packets, there may be cause for suspicion. 

Dynamic Firewall Your firewall uses information from the BlacklCE intrusion detection engine to 

reconfigure itself in response to intrusions. The intrusion detection component analyzes 
unusual packets and, if they are dangerous, instantly configures the firewall to block them 
before they can have any effect on your computer. 

Blocking an intruder You can block any intruder listed on your events list by adding an IP address to your 
firewall. When you do this, no traffic from that intruder's IP address can enter your 
system. For information about blocking IP addresses, see "Blocking an IP address" on 
page 17. 

Blocking a port If you don't have an intruder in mind but you are concerned about intrusion attempts 

using a specific internet protocol, you can block the port (or ports) that protocol uses. 
Adding a port entry to your firewall ensures that no traffic from any IP address can enter 
your system using that port. For information about blocking ports, see "Ignoring Events" 
on page 20. 

Ignoring events To help reduce the amount of information you have to deal with, you can choose to ignore 

events that don't pose any threat to your computer. For example, your ISP may carry out 
routine port scans for its own management purposes. When such a scan appears on your 
events list, you can right-click the event and select Ignore. For information about ignoring 
events, see "Ignoring Events" on page 18. 

Trusting an address When you know a particular IP address is safe, you can choose to ignore all events from 

that address. This is called trusting an address. For example, when another computer on 
your internal network accesses files on your computer, it can appear as an intrusion on 
your events list. You can right-click these events and select Trust and Accept to tell 
BlacklCE not to record any events from that computer. For information about trusting and 
accepting, see "Trusting Intruders" on page 19. 
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Application Protection 

Introduction BlacklCE protects your computer from unknown applications and from applications 

connecting to a network, such as the Internet. 

How it works First, BlacklCE creates a baseline record (also known as a checksum) of the applications 

installed on your computer. Then it compares that baseline with any application that 
attempts to launch or to communicate with a network. If the application does not match 
the baseline, then BlacklCE asks you if you want to stop the application or let it continue. 

Note: You must update the baseline whenever you make changes to your system, such as 
upgrading an application or installing a new application. 

To turn off the Application Protection component: 

1. Click Tools^ Edit BlacklCE Settings. 

2. Select either the Application Control tab or the Communications Control tab. 

3. Clear the Enable Application Protection check box. 



Turning off 
Application 
Protection 



Adding new or Whenever you upgrade an application or install a new application on your computer, the 

upgraded application does not match the Application Protection baseline, so BlacklCE regards it as 

applications to your an unknown application. This protects you from someone maliciously updating 

computer applications with or replacing them with other files that may be harmful. 

Avoiding alert You can avoid warning messages during upgrade or installation by clicking Install Mode 

messages when you Options Enable Install Mode on the first message you see. This temporarily disables 
install software Application Protection. Click Continue on the periodic messages until the upgrade or 

installation ends. Be sure to disable install mode when you are finished. 

Note: After you install or upgrade an application, you must add it to the baseline. For 
information about updating your baseline to include your new or upgraded software, see 
"Managing your authorized applications" on page 24. 
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Application Control 

Introduction BlacklCE PC Protection lets you control which applications and related processes can run 

on your computer. Sometimes a program may be installed on your computer without 
your knowledge. Many of these programs are useful or harmless. However, some of these 
programs can present security risks. They may allow an intruder to locate password 
information, make the system more vulnerable to future entry, or destroy programs or 
data on the hard disk. 



How Application When you install BlacklCE, it creates a list of the applications currently installed on your 

Control works computer .Whenever the computer begins to start an application, BlacklCE checks that the 

application is one of these known applications. If it is not, BlacklCE gives you the option 
of stopping the program or letting it run.You can control this default behavior by 
changing the settings on the Application Control tab. 



Example: spyware For example, some setup programs install a separate application, commonly known as 

spyware, to track your Web site visits or other personal information. BlacklCE detects any 
such application when it starts, and checks to see if you have authorized the application to 
run. If not, BlacklCE can close the program automatically or alert you, depending on the 
Application Control options you have set. 



Application control 
is not virus 
detection 



Application control is not the same as virus detection. BlacklCE does not search your 
system for harmful applications. Instead, BlacklCE watches for new applications that may 
have been installed on your computer without your knowledge, and alerts you when they 
start. For example, if you install BlacklCE after a Trojan application has been installed on 
your computer, BlacklCE assumes that application is known to you and does not block it 
from starting or contacting a network. 

Important: To get the full benefit of the Application Protection component of BlacklCE PC 
Protection, scan your system for viruses with an anti-virus program to make sure it is free 
of dangerous applications before you install BlacklCE or have BlacklCE search for new or 
modified applications. It is a good idea to run your anti-virus scan in both normal and safe 
mode. 



More information For instructions, see "Protecting Your Computer From Unauthorized Applications" on 
page 22. 
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Communications Control 

Introduction To reduce security risks from potential "Trojan horse" applications on your computer, 

BlacklCE PC Protection lets you choose which applications or processes can access a 
network, such as the Internet or a local area network. 



How BlacklCE tracks all the applications (and related processes) that you authorize to access a 

Communications network fromyour computer. If any software installed on your computer attempts to 
Control works access a network without your authorization, BlacklCE detects its outbound 

transmissions and asks you what to do: 

• If you recognize the application, you can allow it to continue or you can block it. 

• If you block it, you can have BlacklCE automatically block the application in the 
future. 



Example: auto- For example, some applications include a feature that automatically checks the 

update application provider's Web site for software updates. The first time a newly installed or 

modified program tries to do this, BlacklCE asks if you want this application to access the 
network. You can control this behavior by altering the settings on the Communications 
Control tab. 



More information For instructions, see "Protecting Your Computer From Unauthorized Communications 
on page 26. 
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Understanding BlacklCE Alerts 

Introduction Your dynamic firewall handles most alerts for you, but you can take additional steps to 

make its responses even more effective. The information in this topic may help you 
determine which events merit your attention. 

Severity levels Some network events are more dangerous than others. BlacklCE PC Protection assigns 

each event a numerical rank that reflects the event's potential risk level, and reports that 
rank with an icon on the Events tab. The following table lists the severity levels BlacklCE 
uses: 



Icon 


Rank 


Description 


• 


7-10 


Critical. These are deliberate attacks on your system for the purpose of 
damaging data, extracting data, or crashing the system. Critical events 
always trigger protection measures. 


® 


4-6 


Serious. These are deliberate attempts to access information on your 
system without directly damaging anything. Some serious events trigger 
protection measures. 


© 


1-3 


Suspicious. These are network activities that are not immediately 
threatening, but may indicate that someone is looking for security 
vulnerabilities in your system. For example, intruders may scan the 
available ports or services on a system before attacking it. Suspicious 
events do not trigger protection measures. 


® 


0 


Informational. These are network events that are not threatening but are 
worth noting. Informational events do not trigger protection measures. 



Table 3: BlacklCE severity icons 
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Response levels BlacklCE PC Protection reports how it responded to each event by showing a symbol. The 

symbol for a response can appear two ways: 



• as an icon beside the event 

• as a mark over the severity level icon 

This table describes BlacklCE response level icons and overlays: 



Icon 


Overlay 


Description 


© 


\ 


Attack Blocked: BlacklCE successfully blocked the attack. Depending on 

Lilt; bcvtMlly Ul Lilt; CVfcMIl, DlctUI\lwL_ llldy ciloU 1 lave UlUOrxtJU lilt; cULcLOrMI iy 

system. To see if BlacklCE is currently blocking the intruder, double-click 
the event. 






Attack Unsuccessful: Other defenses of your computer, such as the 
operating system, successfully blocked the intrusion. Therefore, BlacklCE 
did not need to block the event. The event did not compromise the system. 


A 




Attack Status Unknown: BlacklCE triggered protection measures as 
soon as it identified the attack, but some attacking packets may have 
made it through to the computer. It is unlikely that the event compromised 
the system. 




0 


Attack Possible: BlacklCE triggered protection measures as soon as it 
identified the intrusion. However, some attacking packets were able to get 
into the computer. The event may have compromised the system. 


F 


o 


Attack Successful: BlacklCE detected abnormal traffic entering or exiting 
the system as a result of the intrusion. However, the BlacklCE protection 
measures could not block the intrusion. The event has compromised the 
system. 



Table 4: BlacklCE response icons and overlays and what they mean 
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Collecting Information 



Introduction When an intruder attempts to break into your system, BlacklCE PC Protection can track 

the intruder's activities. You can use this information to determine what an intruder did to 
your computer. This section explains how to gather and use this information. 



Back Tracing BlacklCE can back trace each intrusion to determine where it originated. You can tell 

BlacklCE to seek information from the originating computer itself or from points the 
packets passed through on the way to your computer. 

When BlacklCE back traces an intruder, it attempts to gather the IP address, DNS name, 
NetBIOS name, Node, Group name, and MAC address. Skilled intruders will often block 
BlacklCE from acquiring this information. 



To set up back tracing, see "Back Tracing" on page 30. 



Evidence files When BlacklCE PC Protection detects an intrusion, it can capture the network packet that 

triggered the detection and store that packet in an evidence file. Evidence files can tell you 
a lot about what an intruder tried to do. Because evidence files provide proof of the 
attacker's activities, this can be very useful to law enforcement or legal counsel in tracking 
criminal intruders. 



For information about setting up evidence gathering, see "Collecting Evidence of 
Intrusions" on page 32. 



Packet log files Packet logging records all the packets that enter your computer. This can be useful if you 

need more detailed information than evidence logs contain. 

Note: Packet logs can become very large and use considerable storage space. Use them 
only if you are experiencing repeated intrusions and have plenty of disk space. 

For information about setting up packet logging, see "Collecting Packet Logs" on page 32. 
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Filtering Information 



Introduction You probably won't need to inspect all the information BlacklCE PC Protection gathers 

about the Internet traffic that reaches your computer. You can use the configuration tabs 
to control how much information appears on the information tabs and how often 
BlacklCE alerts you to potential risks. 



Leaving out You can instruct BlacklCE to show only events that present risks over a given level. For 

information example, BlacklCE determines port scans from your ISP to be of only informational 

interest. You can omit those events from the Events tab. For information on how to do this, 

see "Filtering the Events List" on page 14. 



Severity levels BlacklCE assigns a severity level to every event, to indicate how dangerous the event may 

be to your computer. The severity level appears as an icon beside the event on the Events 
tab. 



Freezing events Sometimes events are recorded so quickly that it can be difficult to keep track of them as 

they appear on the Events tab. When this happens, you can freeze the Events tab and 
respond to the events at your convenience. For information on freezing the Events list, see 
"Freezing the Events list" on page 15. 



Deleting events Even if you are filtering out events that are not very risky, your events list can grow very 

long. You can delete individual events from the Events tab, or you can delete the whole 
events list. For information about deleting events, see "Clearing the Events list" on 
page 14. 



Event alerts BlacklCE can alert you to events by making a sound or by showing an alert icon in your 

system tray. The alert icons are coded to match the seriousness of the event. You can tell 
BlacklCE to alert you only to events of a particular severity. For information about setting 
your alarm preferences, see "Setting alarm preferences" on page 14. 



Customizing event You can configure the Events and Intruders tabs to show only the columns that contain 
and intruder the information you are most interested in. For example, if you find that multiple attacks 

information on your computer use the same protocol, you can include the Protocol column in the 

Events tab. For information on choosing columns to view, see "Showing and hiding 

columns" on page 15. 
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Chapter 2 

Using BlacklCE PC Protection 



Overview 

Introduction 



In this chapter 



This chapter provides the procedures to configure BlacklCE PC Protection for your 
specific conditions. These procedures are designed to be performed in sequence. 

For information about installing BlacklCE PC Protection, see the BlacklCE PC Protection 
Getting Started Guide. 



This chapter includes the following topics: 



Topic 


Page 


Choosing the Information You Need 


14 


Blocking Intrusions 


17 


Trusting Intruders 


19 


Ignoring Events 


20 


Protecting Your Computer From Unauthorized Applications 


22 


Protecting Your Computer From Unauthorized Communications 


26 


Responding to Application Protection Alerts 


27 


Back Tracing 


30 


Collecting Evidence of Intrusions 


32 


Recording Network Traffic 


33 


Exporting BlacklCE Data 


35 


Reporting Abuse 


36 
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Choosing the Information You Need 

Introduction You may find that you want regular access to more or less information than BlacklCE PC 

Protection shows by default. You can use the BlacklCE configuration tabs to control: 

• how much information appears on the BlacklCE information tabs 

• how frequently BlacklCE alerts you to potential risks 



Filtering the Events To filter events: 
List 

1. On the View menu, select Filter by Event Severity. 

2. From the submenu, select the least severe events to display. 

For example, if you select Suspicious, all suspicious, serious, and critical attacks 
appear. If you select Informational, all intrusions appear. 

Note: When the list is filtered, the Filter by Event Severity list shows only the severity 
icons for the attacks. For example, if the list is filtered to show only serious and critical 
attacks, the Suspicious and Informational icons do not appear. 



Clearing the Events To clear the Events list: 
list 

1. From the Main Menu, select Tools - ^ Clear Files. 
The Files to Delete window appears. 

2. Do one of the following: 

■ Select Attack-list.csv to delete all intrusion records from the Events tab. For more 
information about what you are deleting, see "The Events Tab" on page 40. 

■ Select Evidence logs to delete all evidence log data. For information about what is 
included in evidence data, see "Collecting Evidence of Intrusions" on page 32. 

■ Select Packet logs to delete all packet log data. For information about what packet 
log data consists of, see "Collecting Packet Logs" on page 41. 

3. Click OK. 

Note: Clearing the event list does not stop BlacklCE from trusting, blocking, or ignoring 
events or intruders. 



Setting alarm To set BlacklCE alarm preferences: 

preferences 

1. From the Main Menu, select Tools - ^ BlacklCE Settings. 

2. Select the Notifications tab. 

3. In the Event Notification area, do one or both of the following: 

■ Select Visible Indicator, and then select the severity option level to trigger a visible 
alarm. 

■ Select Audible Indicator, and then select the severity option level to trigger a . wav 
file. 

Note: If you select the Audible Indicator option, the WAV File field shows the default 
alarm sound (bialarm . wav). To change the . wav file used in audible notification, click 
the folder icon and locate the desired file. 
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Choosing the Information You Need 



4. Click OK. 

For more information about setting your notification preferences, see "The Notifications 
Tab" on page 56. 

Freezing the Events Freezing the Events list stops BlacklCE from refreshing the tab information until you 
list unfreeze it. However, freezing does not stop the monitoring, detection, and protection 

features of BlacklCE. 

Note: Remember to unfreeze the application after viewing the list so that BlacklCE can 
display new attacks. When you restart the computer, BlacklCE resets to an unfrozen state. 

To freeze the Events list: 

• From the Main Menu, select View-^ Freeze. 

Showing and hiding You can configure the columns that the Events and Intruders tabs display, 
columns 

Note: Removing a column from the window does not remove the information from that 
column in BlacklCE. 

To select columns to view: 

1. On the Events or Intruders tab, right-click the column header, and then select 
Columns. 

The Columns window opens. 

2. Follow the instructions on the Columns window. 

3. Click OK. 
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Setting Your Protection Level 



Introduction 



Protection levels are predesigned sets of security settings developed for different types of 
Web use. You can choose to have BlacklCE block all communications with your computer, 
some communications with your computer, or no communications with your computer. 
This topic shows how to: 

• set your protection level 

• configure BlacklCE to switch protection levels dynamically 

Note: If your computer is set up to report to ICEcap Manager and ICEcap Manager has 
configuration priority, you cannot set the protection level from the local agent. To change 
any firewall settings, you must contact your ICEcap administrator. 



Setting your 
protection level 



To set your protection level: 

1. From the Main Menu, select Tools - ^ Edit BlacklCE Settings - ^ Firewall. 

2. Select a protection level: 

■ To block all unsolicited inbound traffic, select Paranoid. 

■ To block all unsolicited inbound traffic except for some interactive content on Web 
sites (such as streaming media), select Nervous. 

■ To block only unsolicited network traffic that accesses operating system and 
networking services, select Cautious. This is the default setting. 

■ To allow all inbound traffic, select Trusting. This is the default setting. 

3. Do you want to enable auto-blocking? 

■ If yes, select Enable Auto-Blocking. 

■ If no, clear Enable Auto-Blocking. 

4. Do you want to share resources on this computer with other computers over a 
network? 

■ If yes, select Allow Internet File Sharing. 

■ If no, clear Allow Internet File Sharing. 

5. Do you want this computer to appear in the Network Neighborhood window of other 
computers? 

■ If yes, select Allow NetBIOS Neighborhood. 

■ If no, clear Allow NetBIOS Neighborhood. 

For more information about protection levels, see "The Firewall Tab" on page 48. 
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Blocking Intrusions 

Introduction BlacklCE identifies and stops most intrusions according to the rules contained in your 

preset protection level. However, you may still notice activity that isn't explicitly blocked. 
This topic explains how to handle those intrusions. 

Caution: Do not block port scans from your own Internet service provider. This may 
violate your ISP's terms of service and cause you to be disconnected. 

Blocking an event You can block any intruder listed on your events list. When you do, BlacklCE creates an IP 
or an intruder address entry in your firewall that prevents all traffic from that IP address from entering 

your computer. To block an intruder or an event: 

1. Do one of the following: 

■ On the Intruders tab, right-click the name of the intruder. 

■ On the Events tab, right-click the name of the event. 

2. On the submenu, select the duration of the block. 
Note: A month is defined as 30 days. 

3. Click Yes. 

To block an IP address: 

1. From the Tools menu, select Advanced Firewall Settings. 

The Advanced Firewall Properties window appears. 

2. Click Add. 
The Add Firewall Entry window appears. 

3. Type a name for the IP address filter. 

Note: This should be the name of the system to block, if you know it. For example, if 
you are creating a filter to block all port scans from a known intruder, use the 
intruder's computer name for the name of this address filter. For information about 
how to learn about intruders, see "Back Tracing" on page 30. 

4. Type the IP address or range of addresses for the system to block. 

■ Use standard 000 . 000 .000.000 notation. 

■ If you are specifying a range of IP addresses, place a dash between them. For 
example, 192 . 16 8 . 10 . 23-192 . 16 8 . 10 . 32. 

■ To block transmissions from all IP addresses through a specific port, select All 
Addresses. 

Note: You cannot block all transmissions from all IP addresses in this window. To 
block all unsolicited inbound traffic, select the "Paranoid" protection level on the 
Firewall tab. 

5. In the Mode area, select Reject. 

6. In the Duration of Rule area, select the length of the block. 

7. Click Add. 

BlacklCE adds the entry to the list in the Advanced Firewall Settings window. 



Blocking an IP 
address 
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Blocking a Port If you don't have a specific intruder in mind but you are concerned about intrusion 

attempts using a particular internet protocol, you can block the port that protocol uses. 
Adding a port entry to your firewall ensures that no traffic from any IP address can enter 
your computer using that port. 

To block a port: 

1. From the Tools menu, select Advanced Firewall Settings. 

2. Click Add. 

The Add Firewall Entry window appears. 

3. Type a name for the port in the Name field. 

Note: You can use any name. For convenience, try using the name of the protocol or 
the software that uses the port, such as "Quake" or "SMTP." 

4. Type the port number in the Port field. 

■ Use a whole number between 1 and 65535. 

■ To enter a range of ports, use the format 9-999. 

■ To close all ports on your computer to communications from a specific IP address, 
select All Ports, then go to "Blocking an IP address" on page 17. 

Note: You cannot use Add Firewall Entry to block or accept all transmissions from all 
IP addresses through all ports. To instruct BlacklCE to block all unsolicited inbound 
traffic, select the "Paranoid" protection level on the Firewall tab. To accept all traffic, 
select the "Trusting" protection level. For more information, see "Choosing the 
Information You Need" on page 14. 

5. Select the port type in the Type field. 

Note: To create an entry for both port types, you must create two separate port filters. 

6. In the Mode area, select Reject. 

The BlacklCE application closes the port. 

7. In the Duration of Rule area, select the length of time to block the port. 

8. Click Add. 

BlacklCE adds the entry to the list in the Advanced Firewall Settings window. 
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Trusting Intruders 

Introduction When an address is trusted, BlacklCE assumes all communication from that address is 

authorized and excludes the address from any intrusion detection. Trusting ensures that 
BlacklCE does not block systems whose intrusions may be useful to you. You can choose 
to trust a system that has already intruded on your computer, or you can identify a 
potential intruder to trust ahead of time. 

Important: Trust only those systems that you are certain are safe, or are legitimately 
executing network scans, such as servers from an ISP. Keep in mind that intruders can 
fake the IP addresses of internal systems. It is possible, though very unlikely, for an 
intruder to fake a trusted address and avoid detection from BlacklCE. 



Trusting an existing To trust an intruder that BlacklCE has detected: 
intruder 

1. Do one of the following: 

■ On the Intruders tab, right-click the intruder. 

■ On the Events tab, right-click the event/ intruder combination that includes the 
intruder you want to trust. 

2. On the shortcut menu, select Trust Intruder. 

3. From the submenu, select one of the following: 

■ Trust and Accept: The BlacklCE intrusion detection component ignores all attacks 
from the intruder and the firewall accepts all communications from the intruder's 
IP address. The intruder is not subjected to any BlacklCE detection or protection. 

■ Trust Only: The BlacklCE intrusion detection component ignores all attacks from 
the intruder. 

Important: Use caution when trusting a system. Intruders often mask their identity 
with forged IP addresses, so an intruder could use your trusted addresses as a 
mechanism against you. We recommend only trusting those systems that are 
authorized, trustworthy and secure. 

4. Click Yes. 

BlacklCE immediately starts trusting the intruder, and adds the intruder address to 
the list of trusted IP addresses on the BlacklCE Settings Detection tab. 

Trusting an intruder To trust an intruder that BlacklCE has not yet detected:, 
in advance 

1. From the Main Menu, select Tools-> Edit BlacklCE Settings. 

2. Select the Intrusion Detection tab. 

3. Click Add. 

The Exclude from Reporting window appears. 

4. Type the IP address in the IP box, or select All. 

■ Use standard 000 . 000 .000.000 notation. 

■ If you are specifying a range of IP addresses, place a dash between them. For 
example, 192 . 16 8 . 10 . 23-192 . 16 8 . 10 . 32. 

5. Click OK. 
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Ignoring Events 

You can configure BlacklCE PC Protection to ignore events that are not a threat to your 
computer. 

Note: Ignoring an event is different from trusting an intruder. 

■ Ignoring disregards certain kinds of events. When an event type is ignored, 
BlacklCE does not log any information about events of that type. 

■ Trusting excludes an address from intrusion detection. Intrusions from that address 
are not shown on the Events tab. 

Ignoring an existing To ignore an event type: 
event type 

1. On the Events tab, right-click the event/ intruder combination. 

2. On the shortcut menu, select Ignore Event. 

3. From the submenu, select one of the following: 

■ This Event: The BlacklCE intrusion detection component ignores all future 
instances of the event. 

■ This Event by this Intruder: The BlacklCE intrusion detection component ignores 
all future instances of this event by the referenced intruder. 

4. Click Yes. 

BlacklCE adds the event to the list of ignored events on the Detection tab in the BlacklCE 
Settings window. 

Ignore an event When you know of a potential event but haven't seen that type of event yet, and you want 

type in advance BlacklCE to allow the event, you can preemptively ignore the event type. For example, 

you may want to ignore future HTTP port scans from your Internet Service Provider. 

Follow these steps: 

1. From the Main Menu, select Tools-* Edit BlacklCE Settings. 

2. Select Intrusion Detection. 

3. Click Add. 

The Exclude from Reporting window appears. 

4. Do one of the following: 

■ To ignore future events of a specific type, go to Step 5. 

■ To ignore future events from a specific intruder, go to Step 6. 

5. Select All in the Addresses to Trust area, and then go to Step 8. 

6. Type the IP address of the intruder in the IP box. 

■ Use standard 000.000.000.000 notation. 

■ If you are specifying a range of IP addresses, place a dash between them. For 
example, 192. 168. 10. 23-1 92. 168. 10. 32. 

7. In the Events to Ignore area, clear the All check box. 

The system enables the Name and ID boxes, and disables the Add Firewall Entry 

check box. 
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8. Select the event type in the Name box, or select the event number in the ID box. 

9. Click Add. 

For more information, see "The Prompts Tab" on page 58. 
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Protecting Your Computer From Unauthorized Applications 

Introduction When you install BlacklCE PC Protection, it creates a baseline record (also known as a 

checksum) of the applications installed on your computer. BlacklCE uses this information 
to prevent any unauthorized applications from running. When BlacklCE alerts you that 
an unknown application is starting, you can stop the application or let it run. If you let it 
run, BlacklCE can remember your choice or require new authorization every time the 
application starts. 



Updating the After you install or update software, you must add each new or upgraded application to 

baseline the baseline so that BlacklCE recognizes that it is an approved application. There are two 

ways to add an application to the baseline: 

• create a new baseline 

• start the new or upgraded application and tell BlacklCE to include it in the existing 
baseline 

Important: To get the full benefit of Application Protection, scan your computer for 
viruses with an anti-virus program to make sure it is free of dangerous applications before 
you update your system's baseline. It is a good idea to run your anti-virus scan in both 
normal and safe mode. 



Creating a new To create a new baseline: 

baseline 

1. On the Tools menu, select Advanced Application Protection Settings. 

The Advanced Application Protection Settings window appears. 

2. Click the Baseline tab. 

3. Expand the folder tree. 

4. Select the folders to include in your baseline by checking the box next to the folder 
name. If you select a folder that contains subfolders, BlacklCE inspects all the 
subfolders in that folder. 

Tip: To include the whole drive in the baseline, check the box next to the drive letter at 
the top of the tree. 

5. Click Save Changes. 

BlacklCE begins creating a baseline of the application files that are installed in the 
folders you chose. 

Note: This process can take several minutes, depending on the size of the folders. 

6. To check the list of applications BlacklCE created, click Known Applications. 

To add an application to your baseline after you have installed or upgraded the 
application: 

1. Start the application. 
BlacklCE alerts you that an unknown or modified application is trying to start. 

2. In the warning message window, select Allow the application to launch and Don't 
ask me again. 



Adding an 
application to your 
baseline 
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3. Repeat for every warning message that appears. The number of messages you see 
depends on how many files the application runs. BlacklCE will not display the 
warning messages again unless the application changes. 



Building your BlacklCE can learn your application control preferences as you work. You can have 

baseline over time BlacklCE ask you for a decision on each program as it launches. 

To update your baseline as you work: 

1. On the Tools menu, select Edit BlacklCE Settings, then select the Application Control 
tab. 

2. Select an option under When an unknown application launches. 

■ To have BlacklCE check with you when it detects an application you have not 
explicitly allowed to run, select Ask me what to do. This is the default. 

■ To have BlacklCE automatically shut down any application you have not allowed 
to run, select Always terminate the application. 

Note: For more information about how your installation options affect your default 
Application Protection settings, see the BlacklCE PC Protection Getting Started Guide. 



Application If you have enabled the Application Protection component and selected Ask me what to 

Protection alerts do, BlacklCE alerts you when an unknown application starts. For information about how 
to respond to these alerts, see "Responding to Application Protection Alerts" on page 27. 

Note: To avoid false positives, update your Application Protection baseline every time 
you install new software. Installing a new application can change some helper files, such 
as DLLs, that are already in your baseline. BlacklCE may flag these as "modified files" 
until you update your baseline. 



Application file BlacklCE determines which files are included in the baseline from the file name 

types extensions (the three characters after the period). BlacklCE currently checks for these 

application file types: 



Extension 


File Type 


dll 


Dynamic link library, a collection of resources that enable a 
program file to do its job 


drv 


Driver, a small program that enables a device or service to work 


exe 


Executable file, containing program instructions 


OCX 


Special-purpose program for functions such as scroll bar 
movement and window resizing in Windows applications 


scr 


Screensaver program 


sys 


Files that control basic operating system functions 


vxd 


"Virtual device" that enables other software to work 
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Adding file types to 
the baseline 



If you know of application files on your computer that have different extensions, you can 
add those extensions before creating your baseline. 

To search for additional file types: 

1. On the BlacklCE Tools menu, select Advanced Application Protection Settings. 

2. On the Advanced Application Protection Settings window Tools menu, select 
Checksum Extensions. 

The Checksum Extensions window appears. 

3. Enter the extension in the Extensions text box. 

4. Click Add. 

5. Repeat steps 3 and 4 until all the file types have been added. 

6. Click OK. 

BlacklCE adds the new file type extensions to the list. 

Note: For more information about how your installation options affect your default 
Application Protection settings, see the BlacklCE PC Protection Getting Started Guide. 



Managing your 

authorized 

applications 



After you have created your baseline, you can change the authorizations of any file in it. 
You can allow it to run, or you can prevent it from running. If you allow it to run, you can 
block it from accessing a network or allow it to access the network. 



Changing 

application 

permissions 



To manage your authorized application files: 

1. On the Tools menu, select Advanced Application Protection Settings. 

2. Click the Known Applications tab. 

BlacklCE displays the list of applications it has detected on your computer. 

3. In the Filename column, find the name of the application file whose authorization 
you want to change. 

■ To prevent the application from running, select Terminate in the Application 
Control column. BlacklCE adds the application to the list of programs that are not 
allowed to run on this computer. 

■ To allow the application to run, leave the selection in the Application Control 
column blank. BlacklCE regards this as an authorized application. 

4. Click Save Changes. 



Stopping 
Application 
Protection 
temporarily 



To stop BlacklCE from monitoring your computer for unauthorized applications: 

• On the Tools menu, click Stop BlacklCE Application Protection. 

Caution: When you stop the Application Protection component, your computer is no 
longer protected from running unauthorized applications, such as Trojans. However, 
BlacklCE intrusion detection monitoring is still in effect. 
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Disabling 

Application 

Protection 



To permanently prevent BlacklCE from monitoring your system for unauthorized 
applications, follow this procedure: 

1. On the Tools menu, select Edit BlacklCE Settings, and then select the Application 
Control tab. 

2. Clear Enable Application Protection. 

BlacklCE disables the Application Protection feature. You must manually enable 
Application Protection to resume the service. 

Note: Stopping the Application Protection component is not the same as disabling it. 
When you stop the Application Protection component, it resumes protecting your system 
when you restart your computer. If you disable the component, it does not restart when 
you restart your computer. To make it available again, you must re-enable it. 



More information For more information about using your Application Protection settings, see "Advanced 
Application Protection Settings" on page 71 and "The Application Control Tab" on 
page 59. 
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Protecting Your Computer From Unauthorized Communications 

Introduction When you set your communications control preferences, you establish a rule for BlacklCE 

PC Protection to follow whenever an application tries to access a network without your 
approval. You have the option of terminating the application or letting it run. If you 
choose to let it run, you can block its network access or allow it to reach the network. 



How to set your To set your communications control preferences: 
communications 

preferences 1. From the Main Menu, select Tools-* Edit BlacklCE Settings, and then select the 

Communications Control tab. 

2. To watch for outbound communications from this computer, select Enable 
Application Protection. 

For information about using this option, see "Disabling Application Protection" on 
page 25. 

3. Choose one of these options: 

■ To automatically close down any unauthorized application that tries to access a 
network from your computer, select Always terminate the application. If you 
installed BlacklCE in Unattended mode, this option is selected by default. 

■ To have BlacklCE give you the choice of running or terminating the unauthorized 
process whenever it tries to contact a network, select Prompt before terminating 
the application. This option is selected by default. 

■ To allow unauthorized processes to run but automatically block them from 
connecting to a network, select Always block network access for the application. 

■ To have BlacklCE ask you whether an unauthorized processes can connect to a 
network, select Prompt before blocking network access for the application. 

Note: For more information about how your installation options affect your default 
Communications Control settings, see the BlacklCE PC Protection Getting Started Guide. 



Managing your You can change the authorizations of any application in your baseline. You can allow it to 

applications' communicate with a network or prevent it from communicating. 

communications 

To change authorizations: 



1. On the Tools menu, select Advanced Application Protection Settings. 

2. Click the Known Applications button. 

The application files on your computer appear in the window. 

■ To automatically close down an application when it attempts to connect to a 
network, select Terminate in the Communications Control column. 

■ To prevent an application from communicating with a network, select Block in the 
Communications Control column. 

■ To explicitly allow an application to communicate with a network, leave the 
Communications Control column blank. 

3. Click Save Changes. 

For more information about setting your Communications Control preferences, see "The 
Communications Control Tab" on page 61. 
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Responding to Application Protection Alerts 

Introduction Most of the time, you trigger the Application Protection component when you start a new 

program through the Start menu or by clicking a shortcut. However, a program that starts 
without giving any on-screen indication can also trigger Application Protection. If you 
have enabled Application Protection and selected Ask me what to do, BlacklCE alerts you 
when an unknown application starts, even if you are not aware of it starting. 

Procedure To respond to the Application Protection dialog: 

1. Are you installing new software on your computer? 

■ If no, go to Step 4. 

■ If yes, click Install Mode Options, and then click Enable Install Mode. 

BlacklCE temporarily stops Application Protection so that the new software can 
start the applications required for its installation. BlacklCE will remind you every 
three minutes to enable Application Protection again. 

Note: Some installation programs require you to restart your computer. BlacklCE 
Application Control stays in Install Mode even if you restart. This may be necessary 
for some software installations or updates that continue to install after system 
reboot. 

After three minutes, BlacklCE asks if you are ready to stop using Install Mode. 

2. Is the installation complete? 

■ If no, click Cancel and continue the installation. 

■ If yes, click Disable Install Mode. 

BlacklCE asks if you want to update your system baseline. 

3. Click OK. 

BlacklCE updates your system baseline to include the new software. 

4. Are you certain that this is an application you have authorized? 

■ If no, go to Step 5. 

■ If yes, click Continue. 

BlacklCE allows the application to start. 

Tip: To have BlacklCE assume this application is authorized every time it runs, 
select Don't ask me again, then click Continue. BlacklCE adds the application to 
your list of authorized applications and does not warn you about it again. 

5. Click More Info... 

A popup dialog box appears with the name and path of the application file that 
triggered Application Protection. 

6. Is this file an authorized application? 

■ If no, go to Step 7. 

■ If yes, click OK, and then click Continue. 
BlacklCE allows the application to start. 

7. Do you want to enable the application to run even though it may be a dangerous 
program? 

■ If no, click OK, select Don't ask me again, and then click Terminate. 
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BlacklCE adds the application to your list of prohibited applications. 
■ If yes, click OK, and then click Continue. 
BlacklCE allows the application to start. 
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Installing Software when Application Protection is Running 

Introduction When you install a new application, BlacklCE identifies that application's setup program 

as an unknown application and alerts you that an application is trying to run without 
authorization. 



Overriding 

Application 

Protection 



If you have chosen to install this application, you can override the Application Protection 
component temporarily to install the application and add it to your computer's baseline 
profile. 

Important: Install software only when you are certain that if comes from a trustworthy 
source. 



Procedure 



To override Application Protection: 

1. Start the setup program for the application you want to install. 
BlacklCE alerts you that it has detected an unknown application. 

2. In the Application Protection alert dialog, click More Info to make sure you are 
working with the correct application setup file. 

BlacklCE displays the path and filename of the application file that triggered this 
alert. 

3. Click Install Mode Options. 

4. Under Advanced Options, click Enable Install Mode. 
BlacklCE suspends Application Protection temporarily. 

5. Complete the installation process for the new application. 

Within three minutes, BlacklCE prompts you to resume Application Protection. 

6. Is the installation complete? 

■ If no, click Cancel and return to Step 5. 

■ If yes, click Disable Install Mode. 

7. In the Application Protection dialog, click Update. 

BlacklCE updates your computer's baseline profile to include the new application. 
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Back Tracing 

Introduction BlacklCE PC Protection can track an intruder's activities to help you determine what an 

intruder did to your computer. This topic explains how to gather and use this information. 



How does back Back tracing is the process of tracing a network connection to its origin. When somebody 

tracing work? connects to your computer over a network such as the Internet, your system and the 

intruder's system exchange packets. Before an intruder's packets reach your system, they 
travel through several routers. BlacklCE PC Protection can read information from these 
packets and identify each router the intruder's packets had to travel through. BlacklCE 
can often identify the intruder's system in this way. 



Back tracing When BlacklCE back traces an intruder, it attempts to gather the IP address, DNS name, 

information NetBIOS name, Node, Group name, and MAC address. Skilled intruders will often try to 

block BlacklCE from acquiring this information. 



BlacklCE can trace intruders directly or indirectly. 

• An indirect trace uses protocols that do not make contact with the intruder's system, 
but collect information indirectly from other sources along the path to the intruder's 
system. Indirect back tracing does not make contact with the intruder's system, and 
therefore does not acquire much information. Indirect traces are best suited for lower- 
severity attacks. 

• A direct trace goes all the way back to the intruder's system to collect information. 
Direct back tracing makes contact with the intruder's system and therefore can acquire 
a lot of information. Direct back traces are best for high-severity attacks, when you 
want as much information about the intruder as possible. However, intruders can 
detect and block a direct trace. 

Back tracing information appears in two places: 

• in the information pane of the Intruder tab 

• in standard text files in the Hosts folder in the directory where BlacklCE is installed. 
Each file is prefixed with the intruder's IP address. 

Note: The severity of the incoming event, not the identity of the intruder, triggers the 
back trace. 

Procedure To set up back tracing: 

1. From the Main Menu, select Tools-> Edit BlacklCE Settings. 

2. Select the Back Trace tab. 

3. Type the severity level for an indirect trace in the Indirect Trace Threshold box. 

Note: The default threshold for an indirect trace is 3. With this setting, any event with 
a severity of 3 or above triggers an indirect back trace. 

4. Do you want BlacklCE to query Domain Name Service servers for information about 
the intruder? 

■ If yes, select DNS lookup. 

■ If no, clear DNS lookup. 



Direct and indirect 
tracing 



Where is the back 

tracing 

information? 
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Back Tracing 



5. Type the severity level for a direct trace in the Direct Trace Threshold box. 

Note: The default threshold for the direct trace is 6. With this setting, any event with a 
severity of 6 or above triggers a direct back trace. 

6. Do you want BlacklCE to determine the computer address of the intruder's computer? 

■ If yes, select NetBIOS nodestatus. 

■ If no, clear NetBIOS nodestatus. 

For more information about setting your back tracing preferences, see "The Back Trace 
Tab" on page 54. 
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Collecting Evidence of Intrusions 

Introduction BlacklCE PC Protection can capture network traffic attributed to an intrusion and place 

that information into an evidence file. BlacklCE captures and decodes each packet coming 
into the system, so it can generate files that contain detailed information about the 
intruder's network traffic. 



Where are my 
evidence files? 



BlacklCE evidence files are stored in the installation directory folder. For example, if you 
install BlacklCE in the Program Files directory on the C : drive, the evidence files are 
located in C: \Program Files\ISS\BlackICE. Each file has an * . enc extension. 

Note: If you upgraded to BlacklCE PC Protection 3.6 from a previous version of BlacklCE, 
your evidence log files are still stored in C : \Program Files\Network ICE\BlackICE. 



Using evidence files 



The evidence and packet log files are trace files. You must have a trace file decoding 
application to view the contents of these files. Many networking and security product 
companies produce such decoders. Some shareware decoders are also available on the 
Internet. If you are using Windows NT or Windows 2000 Server, you can install the 
Network Monitoring service, which includes Network Monitor, a decoding application. 
See the Windows NT or Windows 2000 documentation for more information. 



Procedure 



To collect evidence files: 

1. From the Main Menu, select Tools - ^ Edit BlacklCE Settings. 

2. Select the Evidence Log tab. 

3. Select Logging Enabled. 

4. In the File prefix box, specify a prefix for the evidence file names. 

■ For example, if you enter evd, BlacklCE will create files named evdO 0 0 . enc, 
evdO 0 1 . enc, and so on. 

5. In the Maximum Size box, specify how large each evidence file can get. 
Note: For best results, keep this value smaller than 2048 kilobytes (2 MB). 

6. In the Maximum Number of Files box, choose how many files BlacklCE can generate 
in the specified collection time period. 

Note: For example, if the maximum number of files is 32 (the default value), BlacklCE 
does not generate more than 32 evidence files in any 24-hour period. 



Clearing evidence 
logs 



To delete evidence logs: 

Note: Clearing evidence log data does not affect the BlacklCE intrusion detection and 
firewall functions. 

1. From the Main Menu, click Tools Clear Event List. 
The Files to Delete window appears. 

2. Select Evidence logs. 

3. Click OK. 

For more information about setting your evidence logging preferences, see "The Evidence 
Log Tab" on page 52. 
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Recording Network Traffic 



Introduction 



Packet logging records all the packets that enter your computer. This can be useful if you 
need more detailed information than evidence logs contain. 



Where are my 
packet log files? 



BlacklCE packet log files are stored in the installation directory folder. For example, if you 
install BlacklCE in the Program Files directory on the C : drive, the packet log files are 
located in C: \Program Files\ISS\BlackICE. Each file has an * . enc extension. 



Note: If you upgraded to BlacklCE PC Protection 3.6 from BlacklCE 3.1 or an earlier 
version, your packet log files are still stored in c : \ Program Files \Network 
ICE\BlackICE. 



Using packet logs The packet log files are trace files. You must have a trace file decoding application to view 
the contents of these files. Many networking and security product companies produce 
such decoders. Some shareware decoders are also available on the Internet. If you are 
using Windows NT or Windows 2000 Server, you can install the Network Monitoring 
service, which includes Network Monitor, a decoding application. See the Windows NT or 
Windows 2000 documentation for more information. 



Procedure To collect packet logs: 

1. From the Main Menu, click Tools-> Edit BlacklCE Settings. 

2. Select the Packet Log tab. 

3. Select Logging Enabled. 

4. In the File prefix box, specify the prefix for the packet log file names. 

■ BlacklCE automatically places an incremental counter in the filename. For example, 
if you enter ABC, the file names will be ABC0001 . enc, ABC0002 . enc, and so on. 

5. In the Maximum Size box, specify how large each log file can get. 
Note: For best results, keep this value under 2048 kilobytes (2 MB). 

6. In the Maximum Number of Files box, specify how many log files to generate. 
Note: The default is 10. 

Packet log files are generated until the maximum number of files are used. When the 
maximum number of files is used, BlacklCE starts replacing the first log file with a 
new file, and so on. 

Clearing packet logs To delete packet logs: 

1. From the Main Menu, select Tools - ^ Clear Files. 
The Files to Delete window appears. 

2. Select Packet logs. 

3. Click OK. 

Note: Clearing packet log data does not affect the BlacklCE intrusion detection and 
firewall functions. 
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For more information about choosing your packet logging settings, see "The Packet Log 
Tab" on page 50. 
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Exporting BlacklCE Data 

Introduction You may want to export BlacklCE PC Protection data into a spreadsheet program or word 

processor to look at the intrusion activity on your computer. 



Procedure To export data: 



1. On the Events tab or the Intruders tab, copy or cut the selected information to place it 
on the clipboard. 

2. Paste the information into any application that accepts text input. 
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Reporting Abuse 

Introduction Internet Service Providers (ISPs) are interested in catching malicious intruders. When you 

see a pattern of events that appear to be attacks on your computer, you can report the 
events to the instruder 's ISP. 

Procedure Send an email to the intruder's ISP with a copy of your event list and ask them to block 

the attacks. Most ISPs maintain an address for these reports in this form: 

abuse@any isp.net . 
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Appendix A 

Operating Tabs 



Overview 

Introduction 
In this appendix 



This appendix describes the user interface screens you can use to monitor the information 
BlacklCE PC Protection gathers and control how BlacklCE operates. 



This appendix contains the following topics: 


Tab 


Page 


The Events Tab 


40 


The Intruders Tab 


43 


The History Tab 


45 
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The Events Tab 

Introduction The Events tab summarizes all intrusion and system events on your computer. The tab 

columns show the time, type, and severity of an event; the intruder's name and IP 
address; how BlacklCE has responded to the event, and other information. 

Customizing To customize the information on the Events tab, right-click a column header and select 

information Columns. A window appears in which you can add, hide, show, resize, or rearrange 

columns. By default, the information on the Events tab is sorted first by severity, then by 

time. 

Sorting Click a column header to sort the list by that column. Click the column header again to 

reverse the sort order. 

Event Info button When you select an event in the Events tab, a brief description of the attack appears at the 
bottom of the tab. For more information about the event, or to see suggested remedies for 
the attack, click Event Info to connect to the ISS Web site for the latest information about 
that event. 

Note: For more information about filtering the information shown on the Events tab, 
see'Tiltering the Events List" on page 14. 

Default Events tab This table describes the default columns on the Event tab. For information about adding 
columns optional columns, see "Showing and hiding columns" on page 15: 



This column... 


Contains this information... 


Severity 


A visual representation of the severity of an event and the 
response from BlacklCE PC Protection. For more 
information, see "Severity levels" on page 12. 


Time 


The date and time the event occurred, in 24-hour format. 


Event 


The name of the event type. A description of the event is 
displayed at the bottom of the window. 


Intruder 


The NetBIOS or DNS name of the attacking system. When 
BlacklCE cannot determine a name, it displays the 
intruder's IP address. 


Count 


If an intruder executes the same attack several times, the 
Events tab shows the collected occurrences as one event. 
This column displays the number of occurrences that made 
up that event. The Time column shows the time the most 
recent event occurred. 



Table 5: Events tab default columns 
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Optional columns on This table describes optional columns that you can add to the Events tab. To add an 
the Events tab optional column, right-click any column heading and select Columns... 



This column... 


Contains this information... 


TCP Flags 


Data in the packet header specifying the intended 
treatment of the packet, such as R (reset), p (push), or u 
(urgent). 


Pa ramptprte^ 


When an intruder is scanning a particular port, this column 
displays the port numbers scanned. To consult the ISS 
Web site for details about what the scan may indicate, click 
the Event Info button. The Parameter(s) column cannot be 
used to sort the Events list. 


Protocol ID 


The network protocol (such as HTTP, FTP or NetBIOS) 
applicable to the intruder's communications. For example, 
if the intruder was sending malicious Web site commands, 
the protocol would likely be HTTP. 


Destination Port 


The TCP/UDP port on the local system that was the target 
of the attempted intrusion. 


Source Port 


The TCP/UDP port on the intruder's system where the 
event originated. 


Target 


The NetBIOS (WINS) name or DNS name of the attacked 
system (the target). In most cases, this is the local system. 
If BlacklCE cannot determine a name, it shows the target's 
IP address. 


Target IP 


The IP address of the attacked system. This is usually the 
IP address of the local system. 


Intruder IP 


The IP address of the attacking system. 


Event ID 


Internal reference number for each unique event signature. 


Response Level 


A visual representation of the protection BlacklCE provided 
against the intrusion. Each event is indicated with one of 
five response levels. For information on how BlacklCE 
responds to events, see page Response Levels on page 
15. 


Severity (numeric) 


A numeric representation of the severity of the event. For 
more information, see "Understanding BlacklCE Alerts" on 
page 9. 



Table 6: Events tab optional columns 
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Shortcut 

commands on the 
Events tab 



This table describes the commands available by right-clicking an item on the Event tab: 



This command- 


Has this effect... 


Ignore Event 


To ignore an event, right-click an event/intruder 
combination, and then select Ignore Event. Ignoring event 
types is a useful way to stop BlacklCE from reporting 
routine scans from ISPs and network probes. 


Select Most 
Recent 


To find the most recent event of the same type that is 
highlighted, right-click the event and click Select Most 
Recent. 


Block Intruder 


To block an intruder, right-click an event/intruder 
combination, and then select Block Intruder. 


Trust Intruder 


To trust an intruder, right-click an event/intruder 
combination, and then select Trust Intruder. On the 
submenu, select Trust and Accept or Trust Only. 


Cut 


To remove an event/intruder combination from the list, 
right-click the event/intruder combination, and then select 

OUT. 


Copy 


To copy an event/intruder combination to your computer's 
clipboard, right-click the event/intruder combination, and 
then select Copy. 


ueiete 


To remove an event/intruder combination from the list, 
right-click the event/intruder combination, and then select 
Delete. 


Select All 


To select all the events in the list, right-click an event/ 
intruder combination, and then select Select All. 


Find 


To search for a record in the list, right-click an event/ 
intruder combination, and then select Find. 


Clear Events List 


To remove all events from the list, right-click anywhere in 
the list, and then select Clear Events List. 


Print 


To print the entire contents of the Events list, right-click an 
event/intruder combination, and then select Print. 



Table 7: Events tab shortcut commands 



Buttons on the 
Events tab 



This table describes the buttons that appear on the Intruders tab 



This button... 


Has this effect- 


Close 


Closes the main BlacklCE window. The detection and 
protection engine remains active. 


Help 


Displays the online Help for this tab. 



Table 8: Events tab buttons 
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The Intruders Tab 



Introduction The Intruders tab displays all the information BlacklCE PC Protection has collected about 

all the intruders who have initiated events on your system. This information helps you 
determine the severity and location of each intruder. 



Sorting By default, the intruder list is sorted first in alphabetical order by intruder and then in 

descending order of severity. Click a column header to sort the list by that column. Click 
the column header again to reverse the sort order. 



Details pane When you select an intruder from the Intruder list, the information BlacklCE PC 

Protection has gathered about the intruder appears in the Details pane. 



Default columns on This table describes the columns that appear by default on the Intruders tab: 
the Intruders tab 



This column... 


Contains this information... 


Severity icon 


The severity icon is a visual representation of the severity 
of an event and the response from BlacklCE. For more 
information, see "Severity levels" on page 12. 


Blocked State icon 


The blocked state icon indicates that BlacklCE is blocking 
all network traffic from this intruder. For information about 
blocking an intruder, see "Blocking Intrusions" on page 17. 


Intruder 


The NetBIOS or DNS name of the attacking system. When 
BlacklCE cannot determine a name, it displays the 
intruder's IP address. 



Table 9: Intruders tab default columns 



Shortcut This table describes the commands available by right-clicking information on the 

commands on the Intruders tab: 
Intruders tab 



This command- 


Has this effect- 


Block Intruder 


To block an intruder, right-click the intruder, then select 
Block Intruder. 


Trust Intruder 


To trust an intruder, right-click the intruder, then select 
Trust Intruder. On the submenu, select Trust and Accept 
or Trust Only. 


Cut 


To remove an intruder from the list, right-click the intruder, 
then select Cut. 


Copy 


To copy an intruder to your computer's clipboard, right-click 
the intruder, and then select Copy. 


Delete 


To remove an intruder from the list, right-click the intruder, 
then select Delete. 


Select All 


To select all the intruders in the list, right-click any intruder, 
then select Select All. 



Table 1 □: Intruders tab right-click commands 
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This command- 


Has this effect... 


Find 


To search for an intruder in the list, right-click any intruder, 
and then select Find. 


Print 


To print the entire contents of the Intruders list, right-click 
any intruder, and then select Print. 



Table 1 □: Intruders tab right-click commands 



Optional columns on This table describes the optional columns you can add to the Intruders tab. For 
the Intruders tab information about adding optional columns to the display, see "Showing and hiding 

columns" on page 15. 



This column... 


Contains this information... 


Intruder IP 


The IP address of the attacking system. 


Severity (numeric) 


The highest severity rating attributed to this intruder. 



Table 1 1 : Intruders tab optional columns 



Buttons on the This table describes the buttons that appear on the Intruders tab: 

Intruders tab 



This button... 


Has this effect- 


Close 


Closes the main BlacklCE window. The detection and 
protection engine remains active. 


Help 


Displays the online Help for this tab. 



Table 12: Intruders tab buttons 
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The History Tab 

Introduction The History tab graphs network and intrusion activity on your computer. 

Note: For detailed information about activity on the Events graph, click the graph near 
the marker that shows the time you are interested in. The Events tab appears, with the 
intrusion closest to that time highlighted. 

History tab options This table describes the options available on the History tab: 



This option... 


Has this effect... 


Interval 


Selects the interval for displaying activity on both graphs: 

• Min displays activity over the last 90 minutes. 

• Hour displays activity over the last 90 hours. 

• Day displays activity over the last 90 days. 



Table 1 3: History tab options 



Information on the This table describes the features on the History tab that provide information about 
History tab intrusions: 



This feature- 


Has this effect- 


Interval 


Selects the interval for displaying activity on both graphs: 

• Min displays activity over the last 90 minutes. 

• Hour displays activity over the last 90 hours. 

• Day displays activity over the last 90 days. 


Total in 90 Hours 
(Days, Minutes) 


Displays summary statistics for the selected interval: 

• Critical displays the number of events rated critical. This event type 
is tracked with a red line on the Events graph. 

• Suspicious displays the number of events rated serious and 
suspicious. These event types are tracked with a yellow line on the 
Events graph. 

• Traffic displays the amount of network traffic, measured in number 
of packets. Traffic is tracked with a green line on the Network Traffic 
graph. 


Events Graph 


Displays the number of critical and suspicious events detected per 
second during the specified period. The maximum number of events 
per second appears in the upper left corner of the Events graph. 


Network Traffic 
Graph 


Tracks the number of packets your system sends and receives during 
the period shown. The maximum number of events per second appears 
in the upper left corner of the Events graph. 



Table 14: History tab information features 
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History tab buttons This table describes the buttons on the History tab: 



This button... 


Has this effect- 


Close 


Closes the main BlacklCE window. The detection and protection engine 
remains active. 


Help 


Displays the Help. 



Table 1 5: History tab buttons 
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Overview 

Introduction 



In this Appendix 



You can control some aspects of the way BlacklCE PC Protection works by changing the 
settings on the configuration tabs. This appendix describes the features of those screens. 



This appendix contains the following topics: 



Topic 


Page 


The Firewall Tab 


48 


The Packet Log Tab 


50 


The Evidence Log Tab 


52 


The Back Trace Tab 


54 


The Intrusion Detection Tab 


55 


The Notifications Tab 


56 


The Prompts Tab 


58 


The Application Control Tab 


59 


The Communications Control Tab 


61 
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The Firewall Tab 

Introduction Use the Firewall tab to choose how tightly BlacklCE controls access to your computer. 

Protection level You can choose one of these four protection levels: 
settings 



Level 


Description 


Paranoid 


All ports are blocked to incoming traffic. 


Nervous 


All system ports are blocked, and TCP application ports 1024 
through 6635 are blocked. 


Cautious 


All system ports are blocked, but all application ports that you 
have not explicitly blocked are open. This is the default setting. 


Trusting 


Keeps all ports open and unblocked, allowing all inbound traffic. 



Table 16: Protection levels 



For information about how to choose your protection level, see "Choosing the 
Information You Need" on page 14. 

Enable Auto- When this option is selected, BlacklCE automatically blocks intruders when they attempt 

Blocking to break into your computer. To stop auto-blocking, clear this option. Attacks are still 

reported and logged, but not automatically blocked. 

If Auto-Blocking is not selected, you must manually block intruders to protect your 
computer. 

Allow Internet File Internet or Windows file sharing allows you to share files with others across the Internet 
Sharing or over a LAN. For example, you can connect your computer to the Internet and upload or 

download files. If you are on a network, you should select this option unless you do not 

share files among computers. 

Clear this check box to: 

• prevent remote computers from connecting to your computer and accessing your 
shares over the Internet or network 

• make your computer unavailable to all computers on a local network 

Note: This option modifies the firewall setting for TCP port 139. If you select this option, 
BlacklCE accepts communications on port 139; if you disable this option, BlacklCE rejects 
or blocks communications on port 139. On Windows 2000, this setting also affects port 
445. 



Allow NetBIOS Select this option to allow your computer to appear in the Network Neighborhood of 

Neighborhood other computers. 

Clear this option to hide a computer from the Network Neighborhood. Hiding your 
computer does not disable file sharing, but users must locate the computer manually 
using its IP address. 
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Note: This option modifies the firewall setting for UDP ports 137 and 138. If you select 
this option, BlacklCE accepts communications on these ports; if you disable this option, 
BlacklCE rejects or blocks communications on these ports. 

Firewall tab buttons This table describes the buttons that appear on the Firewall tab. 



This button... 


Has this effect... 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Packet Log Tab 



Introduction The Packet Log tab allows you to configure the BlacklCE PC Protection packet logging 

features. When packet logging is enabled, BlacklCE records all the network traffic that 
passes through your computer. 



Packet logs or Because they contain a record of all network traffic, packet logs can grow very large and 

evidence logs? occupy a lot of disk space. If you do not need to record every packet, evidence logging 

may be a better choice. See "Collecting Evidence of Intrusions" on page 32. 



Reading packet logs Packet logs are stored in the BlacklCE installation directory. If you installed BlacklCE in 
the default location, you can find the packet log files at c : /Program Files/ISS/ 
BlacklCE. Use a trace file decoding application such as Network Monitor to view the 
information in these files. 



Note: If you upgraded to 3.6 from a previous version of BlacklCE, your evidence log files 
are still stored in C : \Program Files\Network ICE\BlackICE. 

Packet log files are encoded as trace files. You must have decoding application. See the 
Windows NT or Windows 2000 documentation for more information. 



Packet Log settings This table describes the settings on the Packet Log tab: 



This setting... 


Has this effect- 


Logging Enabled 


When selected, BlacklCE captures packet logs. Packet 
logging is disabled by default. 


File Prefix 


Specifies the prefix for the packet log file names. BlacklCE 
automatically places an incremental counter in the filename. 
For example, if you enter abc, the file names will be 
ABC0001 . enc, ABC0 0 02 . enc, etc. The default file prefix is 
log. 


Maximum Size 
(kilobytes) 


Specifies the maximum size, in kilobytes, for each log file. 
The default value is 2048 kilobytes. 


Maximum 
Number of Files 


Specifies the maximum number of log files to generate. The 
default value for the maximum number of files to log is 10. 


Table 1 7: Packet Log tab settings 



For more information about setting your packet logging preferences, see "Collecting 
Packet Logs" on page 37. 
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Packet Log tab This table describes the buttons that appear on the Packet Log tab. 

buttons 



This button... 


Has this effect- 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Evidence Log Tab 

Introduction When your computer is attacked, BlacklCE PC Protection can capture evidence files that 

record network traffic from the intruding computer. Evidence files record the specific 
packet that set off a protection response. This can be a good way to investigate intrusions 
without using a lot of disk space for records. 

Evidence files Evidence files are located in the installation directory folder. For example, if you installed 

BlacklCE in the Program Files directory on the C : drive, the evidence files are in 
C : \Program Files\ISS\BlackICE. The file extension for all evidence log files is * . enc. 

Note: If you upgraded to BlacklCE PC Protection 3.6 from a previous version of 
BlacklCE, your evidence log files are still stored in c : \ Program Files\Network 
ICE\BlackICE. 

Evidence files are encoded as trace files. To view the contents of these files, you must have 
a decoding application, such as Network Monitor (included with the Windows NT Server 
and Windows 2000). 

The Evidence Log tab controls the size and grouping of each evidence file set. For more 
information about tracking evidence of intrusions, see "Collecting Evidence of Intrusions" 
on page 32. 

Note: Evidence files are not the same as packet logs. Packet logs are a capture of all 
inbound and outbound traffic on the computer. An evidence file focuses on the traffic 
associated with specific attacks. 

Evidence Log This table describes the available log file settings: 

settings 



This setting... 


Has this effect... 


Logging enabled 


Instructs BlacklCE to collect evidence files for suspicious 
events. This setting is enabled by default. 


File prefix 


Specifies the prefix for the evidence file names. BlacklCE 
automatically places an incremental counter in the filename. 
For example, if you enter abc, the file names will be 
ABC0001 .enc, ABC0002 . enc, etc. The default file prefix 
is evd. 


Maximum size (in 
kilobytes) 


Controls how big each evidence file can get. For best 
results, keep this value under 2048 kilobytes (2 MB). To 
ensure that the file fits on a floppy disk, consider using a 
maximum size of 1400 kilobytes (the default). 


Maximum 
number of files 


Limits the number of files BlacklCE generates in the 
specified collection time period. For example, if the 
maximum number of files is 32 (the default value), BlacklCE 
does not generate more than 32 evidence files in any 24- 
hour period. 



Table 18: Evidence log tab settings 
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Evidence Log tab This table describes the buttons that appear on the Evidence Log tab. 
buttons 



This button... 


Has this effect... 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Back Trace Tab 

Introduction Back tracing is the process of tracing a network connection to its origin. When somebody 

connects to your computer over a network such as the Internet, your computer and the 
intruder's computer exchange packets. Before an intruder's packets reach your computer, 
they travel through several routers. BlacklCE PC Protection can read information from 
these packets and identify each router the intruder's packets had to travel through. 
BlacklCE can often identify the intruder's computer in this way. 

For more information about setting your back tracing preferences, see "Introduction" on 
page 30. 



Threshold 



DNS lookup 



The threshold setting indicates the event severity level that will trigger a trace of the 
attack. Severity refers to the numeric level of each event. 

• The default event severity for the indirect trace threshold is 3. 

• The default event severity for the direct trace threshold is 6. 

When this option is selected, BlacklCE PC Protection queries available DNS (Domain 
Name Service) servers for information about the intruder. 

Note: DNS Lookup is enabled by default. 



NetBIOS 

nodestatus 



When this option is selected, BlacklCE performs a NetBIOS lookup on the intruder's 
computer. 

Note: NetBIOS Node Status is enabled by default. 



Back Trace Tab This table describes the buttons that appear on the Back Trace tab. 

buttons 



This button... 


Has this effect... 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Intrusion Detection Tab 



The Intrusion Detection Tab 



Introduction The Intrusion Detection tab allows you to control the IP addresses or intrusions the 

BlacklCE engine trusts or ignores. 

For information about trusting and ignoring, see "Trusting Intruders" on page 19 and 
"Ignoring Events" on page 37. 



Intrusion Detection This table describes the information that appears in the columns on the Intrusion 



Detection tab. 


This column... 


Contains this information... 


Intruder IP 


The IP address of the computer you want to trust. 


Intruder 


The machine name of the computer you want to trust. 


Event name 


The name of the event type you want to ignore. 


Event ID 


The standard numerical designation for the event type you 
want to ignore. You can look up the numerical Event ID in the 
ID: field of the Exclude from Reporting dialog. 



Table 19: Intrusion Detection tab columns 



Intrusion Detection This table describes the buttons that appear on the Intrusion Detection tab. 
tab buttons 



This button... 


Has this effect- 


Add 


Click to open the Exclude from Reporting dialog. For 
information about using the Exclude from Reporting dialog to 
trust addresses or ignore events, see "Blocking Intrusions" on 
page 17. 


Delete 


Click to remove the Trust or Ignore instruction associated with 
the highlighted record. 


Modify 


Click to open the Exclude from Reporting dialog to make 
changes to the highlighted Trust or Ignore record. 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 



Table 20: Intrusion Detection tab buttons 
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The Notifications Tab 

Introduction The Notifications tab allows you to control some interface and notification functions. 

Notification This table describes the settings you can configure on the Notifications tab: 
settings 



This setting... 


Has this effect... 


Event Notification 


BlacklCE alarm preferences control how and when the 
application notifies you of an event. 


Visible Indicator 


Enables the BlacklCE System Tray icon to flash when an 
event is reported.The visible indicator is triggered only if 
BlacklCE is closed or hidden. Select the option button 
that includes the types of events you want the system to 
trigger an alert for. 


Audible Indicator 


Enables BlacklCE to play a . wav file when an event is 
reported. The audible alarm is triggered whether the 
BlacklCE window is open or closed. Select the option 
button that includes the types of events you want the 
system to trigger an alarm for. 


WAV File 


If the Audible Indicator option is selected, use this field to 
define the .wav file. Click the folder icon to select a .wav 
file. 


Preview 


Click to listen to the selected alert .wav file. This feature 
is only enabled if the Audible Indicator option is selected. 
The computer must have a sound card and speakers to 
play the audible alarm. 


Update Notification 


BlacklCE can automatically check for software updates 
that protect against new kinds of intrusions. Use these 
inputs to configure your own checking schedule. 


Enable checking 


Select to automatically check the BlacklCE Web site for 
updates. This option is disabled by default. 


Interval for 
checking 


Enter the number of days between checks for updates. 
The default is every 3 continuous days of operation. 



Table 21: Notifications tab settings 



For more information about choosing your notification settings, see "Responding to 
Application Protection Alerts" on page 27. 
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The Notifications Tab 



Notifications tab This table describes the buttons that appear on the Notifications tab. 
buttons 



This button... 


Has this effect- 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Prompts Tab 

Introduction The Prompts tab enables you to choose the level of feedback you want from the BlacklCE 

PC Protection user interface. 

Prompts tab This table describes the settings on the Prompts tab: 
settings 



This setting... 


Has this effect... 


Show Confirm Dialogs 


BlacklCE asks you for confirmation when you delete 
items, clear the event list, and make other significant 
changes. Clear to turn off such confirmations. 


Show Tooltips 


BlacklCE displays a brief description when the mouse 
cursor hovers over a user interface item. Clear to turn 
off Tooltips. 


Show Prompt When 
Service Stopped 


BlacklCE reminds you when the BlacklCE intrusion 
detection engine is stopped and your computer is 
unprotected. When you restart your computer after you 
have stopped the BlacklCE service, BlacklCE asks if 
you want to restart the service. Click Yes to restart 
BlacklCE. To instruct BlacklCE not to remind you when 
the service is stopped, select Don't ask me again. 



Table 22: Prompts tab settings 
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The Application Control Tab 



The Application Control Tab 

Introduction Use the Application Control tab to prevent unauthorized applications from starting on 

your computer. 

Enable Application When Enable Application Protection is selected, BlacklCE monitors your computer for 
Protection unauthorized applications. 

Note: Enabling or disabling this feature also enables or disables the Communications 
Control feature. See "The Communications Control Tab" on page 61. 

For information on how to manage your Application Protection settings, see "Protecting 
Your Computer From Unauthorized Applications" on page 22. 



Application Control This table describes the settings you can configure on the Application Control tab. 
settings 



This setting... 


Has this effect- 


When an unknown application starts: 


Ask me what to do 


When an application that is not in your computer's baseline attempts 
to start, BlacklCE asks you if you want to shut it down. 


Always terminate the 
application 


When an application that is not in your baseline attempts to start, 
BlacklCE shuts it down. 


When a modified application starts: 


Ask me what to do 


An application is in your baseline but has been modified since the last 
time you created or updated your baseline. When the application 
attempts to start, BlacklCE asks you if you want to shut it down. 


Always terminate the 
application 


An application is in your baseline but has been modified since the last 
time you created or updated your baseline. When the application 
attempts to start, BlacklCE shuts it down. 



Protect Agent Files When Protect Agent Files is selected, BlacklCE PC Protection locks the BlacklCE program 
files and the files that contain your known applications list and communications control 
settings. Only BlacklCE can write to these files. 

More information For more information on how to choose your Application Control options, see "Protecting 
Your Computer From Unauthorized Applications" on page 22 and "Advanced 
Application Protection Settings" on page 71. 
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Application Control This table describes the buttons that appear on the Application Control tab. 
tab buttons 



This button... 


Has this effect- 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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The Communications Control Tab 



Introduction 



Use the Communications Control tab to prevent programs on your computer from 
contacting a network without your knowledge. 



Enable Application 
Protection 



When Enable Application Protection is selected, the BlacklCE PC Protection Application 
Protection component is running. 

Note: Enabling or disabling this feature also enables or disables the Application Control 
feature. See "The Application Control Tab" on page 59. 



BlacklCE PC 
Protection blocks 
outbound 
transmissions 
according to your 
instructions.Commun 
ications Control 
Settings 



Your selection of an option on the Communications Control tab determines what 
BlacklCE does about all future relevant events. You have these choices: 



This setting... 


Has this effect... 


When an unauthorized application attempts to access the network: 


Always terminate the 
application 


When any application you have not previously 
authorized to contact a network tries to send a 
transmission, BlacklCE shuts down the application. 


Prompt before 
terminating the 
application 


When an unauthorized application tries to send a 
transmission, BlacklCE asks you if you want to shut 
down the application. 


Always block network 
access for the 
application 


When an unauthorized application tries to send a 
transmission, BlacklCE prevents the transmission. 


Prompt before blocking 
network access for the 
application 


When an unauthorized application tries to send a 
transmission, BlacklCE asks you if you want to 
prevent the transmission. 



For information about how to choose an option, see "Protecting Your Computer From 
Unauthorized Communications" on page 26. 



Communications This table describes the buttons that appear on the Communications Control tab. 
Control List buttons 



This button... 


Has this effect- 


OK 


Click to save your changes and return to the main BlacklCE 
window. 


Cancel 


Click to discard your changes and return to the BlacklCE 
window. 


Apply 


Click to save your changes and keep the current tab open. 


Help 


Displays the online Help for this tab. 
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Appendix C 

Advanced Firewall 

Overview 

Introduction You can use the Advanced Firewall Settings window to block intruders or ports. 

• When you block an intruder, BlacklCE PC Protection creates an IP address entry in 
your firewall that prevents all traffic from that IP address from entering your 
computer. 

• When you block a port, BlacklCE creates a port entry in your firewall that prevents 
any traffic from entering through that port. 

In this Appendix This chapter contains the following topics: 



Topic 


Page 


The Advanced Firewall Settings Window 


64 


The Add Firewall Entry Dialog 


66 


The Modify Firewall Entry Dialog 


68 



Settings 
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The Advanced Firewall Settings Window 

Introduction Use the Advanced Firewall Settings window to create, modify and delete firewall settings 

for IP addresses and ports. Add and remove addresses or ports from the firewall list as 
necessary to modify and protect your computer. 

Caution: This firewall editor is intended only for users with advanced computer 
networking experience. 

Sorting Click a column header to sort the list by that column. Click the column header again to 

reverse the sort order. 

Column The following table describes the columns on the Advanced Firewall Settings window: 
descriptions 



This column... 


Contains this information... 


Icon 


A visual representation of the firewall setting. Green 
indicates that all communication is accepted from the address. 
A slash through the icon indicates that the IP address is 
blocked and all network traffic from that system is rejected. 


Owner 


Shows who created the firewall entry. Entries generated 
through the BlacklCE automatic blocking feature display auto. 
Entries created manually from the BlacklCE user interface 
show "Blgui." 


Address 


The IP address of the accepted or blocked system. If the 
firewall entry is for a port, the word ALL appears. 


Port 


The accepted or rejected port number. If the firewall entry is 
for an IP address, the word ALL appears. 


Type 


The type of port: UDP or TCP. 


Start Time 


The date and time the setting was created, in MM/DD/YY 
hh:mm:ss format. Times are in 24-hour format. 


End Time 


The termination time and date for the setting in MM/DD/YY 
hh:mm:ss format. Times are in 24-hour format. Permanent 
settings show the text PERPETUAL. 


Name 


The best name BlacklCE has for the IP address. This may be 
a DNS or NetBIOS (WINS) name. 

Note: If the setting was configured from the Advanced 
Firewall Settings screen, this column is empty. 



Table 23: Advanced Firewall Settings window columns 
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Buttons 



The Advanced Firewall Settings Window 

The following table describes the buttons on the Advanced Firewall Settings screen: 



i nis DUTion... 


Has inis erred... 


Options 


To be notified when BlacklCE is about to stop blocking an IP 

aaurGSS, SGieCT warn dGTOiG diock txpires. 


Add 


To manually add a now IP address filter or a new port 
fnnfini i ration click Add Thp Add Firpwall Fntrv window 
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appears. For information on managing individual IP 
addresses, "Blocking Intrusions" on page 17. 


Delete 


To delete a firewall setting, select the setting and click Delete. 
Click Yes to remove the IP address from the BlacklCE firewall. 


Modify 


Select a firewall setting to change and click Modify. A Modify 
Firewall Entry window appears. 



Table 24: Advanced Firewall Settings window buttons 



Shortcut menu These commands are available when you right-click an item in the firewall list: 



Note: The Accept and Reject settings produce different shortcut options. 



This command... 


Has this effect- 


Unblock Only 


Removes a blocked address from the firewall. 


Unblock and 
Accept 


Changes the blocked addresses' firewall setting from Reject 
to Accept. 


Unblock, Accept 
and Trust 


Changes the entry's firewall setting from Reject to Accept, 
and then trusts the address or port. When trusting the entry, 
the BlacklCE intrusion detection engine ignores attacks from 
the address. 


Modify 


Opens a window that allows you to change the firewall 
setting. 


Delete 


Removes the accepted address from the firewall. 


Cut 


Removes the address from the list and copies the information 
to your computer's clipboard. You can paste the information 
into any application that accepts text input, such as a word 
processing or spreadsheet program. 


Copy 


Copies the selected address to your computer's clipboard. 
You can paste the information into any application that 
accepts text input, such as a word processing or spreadsheet 
program 


Find 


Searches the address list for information that you specify 


Print 


Sends the contents of the Advanced Firewall Settings window 
to the default printer in comma-separated text format. 



Table 25: Advanced Firewall Settings window shortcut commands 
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The Add Firewall Entry Dialog 

Introduction Use this dialog to create or change firewall settings that block or accept IP addresses. 

Add Firewall Entry The Add Firewall Entry dialog features these fields: 
dialog settings 



This field... 


Contains... 


Name 


The descriptive name for the filter. It is a good idea to use 
the name of the potential intruder or of the protocol or 
software using the port, such as "SMTP" or "Quake." 


IP Address 


The IP Address to block or accept. You can enter IP 
address ranges. Use the format o.o.o.o-i.i.i.ito 
enter a range. 


All Addresses 


When selected, blocks all IP addresses from 
communicating with your computer through a specified port. 


Port 


The port to block or accept. This must be a whole value 
between l and 6553 5. 


All Ports 


When selected, closes off all ports on your computer to 
communications from a specific IP address. 


Type 


The type of address or port. If you need to create an entry 
for multiple types, you must create a separate filter for each 
type. Choose from: 

• IP 

• TCP 

• UDP 




Mode 


The type of firewall setting. Choose from: 

• Accept 

• Reject 


Address Entry 
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addresses are completely free from any intrusion 
monitoring. Leaving the address untrusted allows BlacklCE 
to report events from the address. 

Note: Only available when Accept is selected. 


Duration of Rule 


The duration of the firewall block. Choose from: 

• Hour 

• Day 

• Month 

• Forever 

All limited durations begin at the time the firewall entry is 
created. 



Table 26: Add Firewall Settings dialog features 



66 



G Internet | Security | Systems'" 



The Add Firewall Entry Dialog 



Add Firewall Entry The Add Firewall Entry dialog has these buttons: 
dialog buttons 



This button... 


Has this effect... 


Add 


Click to create the firewall entry. 


Cancel 


Closes the window without saving the setting. 



Table 27: Add Firewall Settings dialog buttons 
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The Modify Firewall Entry Dialog 

Introduction Use this dialog to change a firewall setting that you have set up previously. 

Modify Firewall The Modify Firewall Entry dialog features these fields: 

Entry dialog 
settings 



This field... 


Contains... 


Name 


The descriptive name for the filter. It is a good idea to use 
the name of the potential intruder or of the protocol or 
software using the port, such as "SMTP" or "Quake." 


IP Address 


The IP Address to block or accept. You can enter IP 
address ranges. Use the format 0.0.0.0-1 .1.1.1 to enter a 
range. 


All Addresses 


When checked, blocks all IP addresses from 
communicating with your computer through a specified port. 


Port 


The port to block or accept. This must be a whole value 
between 1 and 65535. 


All Ports 


When selected, closes off all ports on your computer to 
communications from a specific IP address. 


Type 


The type of address or port. If you need to create an entry 
for multiple types, you must create a separate filter for each 
type. Choose from: 

• IP 

• TCP 

• UDP 




Mode 


The type of firewall setting. Choose from: 

• Accept 

• Reject 


Address Entry 
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addresses are completely free from any intrusion 
monitoring. Leaving the address untrusted allows BlacklCE 
to report events from the address. 

Note: Only available when Accept is selected. 


Duration of Rule 


The duration of the firewall block. Choose from: 

• Hour 

• Day 

• Month 

• Forever 

All limited durations begin at the time the firewall entry is 
created. 



Table 28: Modify Firewall Settings dialog features 
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The Modify Firewall Entry Dialog 



Modify Firewall The Modify Firewall Entry dialog has these buttons: 
Entry dialog buttons 



This button... 


Has this effect... 


Add 


Click to create the firewall entry. 


Cancel 


Closes the window without saving the setting. 



Table 29: Modify Firewall Settings dialog buttons 
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Appendix D 

Advanced Application Protection 
Settings 



Overview 

Introduction The Advanced Application Settings window lets you control which applications can start 

on your computer and which applications can connect to a network, such as the Internet. 

• For information about controlling applications on your computer, see "Protecting 
Your Computer From Unauthorized Applications" on page 22 and "The Application 
Control Tab" on page 59. 

• For information about controlling network access from your computer, see 
"Protecting Your Computer From Unauthorized Communications" on page 26 and 
"The Communications Control Tab" on page 61. 



In this Appendix 



This Appendix contains the following topics: 


Topic 


Page 


The Known Applications Tab 


73 


The Baseline Tab 


74 


The Checksum Extensions Dialog 


75 



Advanced .The Advanced Application Settings window has these buttons: 

Application Settings 

window buttons This button... I Has this effect... 



Save Changes Click to save the settings you chose on the Known 
Applications tab. 

Run Baseline Click to have BlacklCE inspect your computer according to 
the instructions you set on the Baseline tab. 

Help Click to open the online help for this screen. 

Table 30: Advanced Application Protection Settings window buttons 
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Advanced 

Application Settings 
window menu 
commands 



The Advanced Application Protection Settings window features these menus: 



This command... 


Has this effect... 


File menu 


Run Baseline 


Executes the choices you have made on the Baseline tab. 


Save Changes 


Records the settings you have made Known Applications 
tab. 


Exit 


Closes the Advanced Application Protection Settings 
window without saving any changes. 


Tools menu 


Checksum 
extensions 


Opens the Checksum Extensions dialog. You can use this 
dialog to control what kinds of application files BlacklCE 
detects. For information about how to do this, see "Adding 
file types to the baseline" on page 24. 


Find 


Searches the Filenames column for the text you specify. 


Help menu 


BlacklCE Help 
Topics 


Displays the BlacklCE online Help. 


Online Support 


Starts your Web browser and points it to a collection of 
frequently asked questions (FAQ) about BlacklCE on the 
ISS Web site. 


WWW.ISS.NET 


Starts your browser and points it to the ISS Web site, 
www. iss .net, which contains the latest information about 
BlacklCE PC Protection. 


About Protection 
Settings 


Displays information about this version of the BlacklCE 
application protection module. 



Table 31 : Advanced Application Settings window menu commands 
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The Known Applications Tab 



The Known Applications Tab 

Introduction The Known Applications tab shows the application files BlacklCE has detected on your 

system. If an application not on this list attempts to start, BlacklCE alerts you or 
automatically closes the application, depending on the options you selected on the 
Application Control tab. For more information, see "Protecting Your Computer From 
Unauthorized Applications" on page 22 and "The Application Control Tab" on page 59. 

Known Applications The information in the file pane appears in the following columns: 
tab columns 



This column... 


Contains this information... 


Filename 


The name of the application file. Click the Filename column 
header to sort the display by this column. 


Path 


The location of the application file on your system. 


Application 
Control 


To automatically close down the application when it 
attempts to start, select Terminate. To let the application 
run, leave the option blank. 


Communications 
Control 


To prevent this application from accessing a network, set 
the option to Block. To shut down this application when it 
attempts to contact a network, set the option to Terminate. 
To allow this application to access a network, leave the 
option blank. 


Company 


The vendor of the application file. 


Product 


The name of the application. 


Number of 
Versions 


Number of times the file has been replaced or upgraded. 


Source 


Specifies whether the entry was created locally or remotely. 
This column should always show Local. 



Table 32: Advanced Application Settings window file pane columns 
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The Baseline Tab 



Introduction 



The Baseline tab allows you to control how BlacklCE PC Protection inspects your 
computer for application files. 



The system tree 
pane 



The system tree pane shows the drives and directories BlacklCE PC Protection has found 
on your system. To see the application files in a directory check the box next to the 
directory name. To view all the application files on a drive, check the box next to the drive 
name. 



The file pane The file pane shows all the application files BlacklCE has detected on your system. To 

have BlacklCE search a drive or directory check the box next to the drive or directory 
name. 
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The Checksum Extensions Dialog 



The Checksum Extensions Dialog 



Introduction 



The Checksum Extensions dialog enables you to customize the application file types that 
BlacklCE PC Protection lists when it inspects your system. BlacklCE determines which 
files are included in the baseline from the file name's extension (the three characters after 
the period). 



Checksum 
Extensions dialog 
fields 



The information in the file pane appears in this field: 



Field 



Extensions 



Information 



In the text box, enter the three-character extension for an 
application type you want BlacklCE to track. 

The box below contains the extensions for the application types 
that BlacklCE already looks for. By default, BlacklCE records 
these application types: 

• com: a small executable file with program instructions 

• dll: dynamic link library, a collection of resources that enable 
a program file to do its job 

• drv: driver, a small program that enables a device or service 
to work 

• exe: executable file, containing program instructions 

• ocx: special-purpose program for functions such as scroll bar 
movement and window resizing in Windows applications 

• scr: screensaver program 

• sys: files that control basic operating system functions 

• vxd: "virtual device" that enables other software to work 



Table 33: Information fields on the Checksum Extensions dialog 



Checksum 
Extensions dialog 
buttons 



The Checksum Extensions dialog includes these buttons: 



This button... 


Has this effect... 


Add 


To add a file type to your system baseline, enter an extension in 
the Extensions: text box and click Add. 


Delete 


To have BlacklCE ignore a file type when it creates your baseline, 
highlight the file type and click Enter. 


OK 


Saves your settings and closes the Checksum Extensions dialog. 


Cancel 


Closes the Checksum Extensions dialog without saving any 
changes. 


Help 


Opens this online help system. 



Table 34: Buttons on the Checksum Extensions dialog 



3LACKICE 



75 



Appendix D: Advanced Application Protection Settings 



76 



Appendix E 

The Main Menu 



Overview 

Introduction The Main Menu appears above the information tabs. This Appendix explains how to use 

the menu options to control the appearance and operation of BlacklCE features. 



In this Appendix This Appendix contains the following topics: 



Topic 


Page 


The File Menu 


78 


The Edit Menu 


79 


The View Menu 


80 


The Tools Menu 


81 


The Help Menu 


82 


The System Tray Menu 


83 
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The File Menu 

Introduction Use the File menu to control the essential operations of BlacklCE PC Protection. 

Print. . . Print sends information from BlacklCE to your default printer. To print information about 

an event or intruder: 

1. On the Events or Intruders tab, select an event or intruder. 

2. Click Print. 

3. In the Print window, choose a printer and the desired number of copies, and then click 
OK. 

For more information about things you can do with BlacklCE data, see "Exporting 
BlacklCE Data" on page 35. 

Exit Exit closes the BlacklCE user interface. The BlacklCE icon is removed from the task bar 

when you close the interface, but BlacklCE continues to monitor for intrusions. For 
information about stopping BlacklCE, see the BlacklCE PC Protection Getting Started Guide. 
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The Edit Menu 



The Edit Menu 



Introduction 



Use the Edit menu to manipulate the intrusion records that BlacklCE PC Protection 
gathers. 



Cut 



To cut an event or intruder: 



• On the Events or Intruders tab, click an event or intruder, and then select Cut from the 
Edit menu. 

■ BlacklCE removes the entry from the list. 

■ BlacklCE copies the entry to your computer's clipboard in comma-delimited text 
format. 



Copy 



To copy an event or intruder: 



On the Events or Intruders tab, click an event or intruder, and then select Copy from 
the Edit menu. 

BlacklCE copies the information to your computer's clipboard in comma-delimited 
text format. 



Delete 



To delete an event or intruder: 



• On the Events or Intruders tab, click an event or intruder and select Delete from the 
Edit menu. 

BlacklCE removes the entry from the list. 



Select All 



To select all events or intruders: 



• On the Events or Intruders tab, click an event or intruder and choose Select All from 
the Edit menu. 

BlacklCE highlights all the events you have viewed during this session. 



Find. 



To find events or intruders: 



1. On the Events or Intruders tab, click an event or intruder and select Find from the 
Edit menu. 

2. In the Find window, select Match Whole Word Only or Match Case to narrow your 
search terms. 

■ To search only records above the highlighted record, click Up. 

■ To search records below the highlighted record, click Down. 
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The View Menu 



Introduction 



Use the View menu to choose what items are displayed, and how, on the Events and 
Intruders lists. 



Freeze 



Stops BlacklCE from refreshing the tab information. For more information, see "Freezing 
the Events list" on page 15. 



Filter by Event 
Severity 



Filters the types of attacks that are displayed. 



To filter the types of attacks that are displayed: 

1. On the Events or Intruders tab, select Filter by Event Severity from the View menu. 

2. Choose the minimum severity level to see reported. For information about severity 
levels, see "Severity levels" on page 12. 

For more information about filtering BlacklCE data, see "Filtering the Events List" on 
page 14. 
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The Tools Menu 



The Tools Menu 



Introduction 



The Tools menu enables you to configure the application by editing the settings; edit the 
Advanced Firewall settings; start or stop the BlacklCE engine; clear the event list; or 
change other preferences. 



Edit BlacklCE 
Settings... 



Displays the configuration tabs that control the operation of the BlacklCE engine. For 
more information, see "Configuration Tabs" on page 47. 



Stop BlacklCE 
Engine 



Turns off the BlacklCE intrusion detection engine. If the intrusion detection engine is 
already stopped, this item is replaced with Start BlacklCE Engine. For more information, 

see the Getting Started Guide. 



Stop BlacklCE 

Application 

Protection 



Turns off the Application Protection and Communications Control features. If Application 
Protection is already turned off, this command is replaced with Start BlacklCE 
Application Protection. For more information, see "Protecting Your Computer From 
Unauthorized Applications" on page 22. 



Clear Files. 



Deletes intrusion information by removing the contents of your Events tab. For more 
information, see "Clearing the Events list" on page 14. 



Download Software Checks for a newer version of the BlacklCE application software on the ISS Web site. 
Update 

Download Security Checks for a newer version of the information BlacklCE uses to protect your computer on 

Content Update the ISS Web site. 



Advanced Firewall 
Settings 



Displays the Advanced Firewall Settings window, which enables you to control which IP 
addresses or TCP/UDP port numbers BlacklCE blocks or accepts. For more information, 
see "Blocking Intrusions" on page 17. 



Advanced Displays the Advanced Application Protection Settings window, with which you can 

Application control which applications can run on your computer and which applications can access a 

Protection Settings network. For more information, see "Protecting Your Computer From Unauthorized 
Applications" on page 22. 
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The Help Menu 



Introduction 



The Help menu offers links to the Help, the ISS Web site, and information about BlacklCE. 



BlacklCE Help 
Topics 



Displays the BlacklCE online Help. 



Online Support 



Starts your Web browser and points it to a collection of frequently asked questions (FAQ) 
about BlacklCE on the ISS Web site. 



WWW.ISS.NET 



Starts your Web browser and points it to the ISS Web site, www, iss .net , which contains 
the latest information about BlacklCE PC Protection and other ISS products. 



About BlacklCE 



Displays your BlacklCE license key and more information about your BlacklCE version. 
Click Update to replace an expired license key with a new key. 



Support Knowledge Starts your browser and points it to a collection of online security information at 



Base 



www. iss .net. 
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The System Tray Menu 



The System Tray Menu 



Introduction 



The system tray menu provides a quick way to access some key BlacklCE functions. You 
can see this menu by right-clicking the BlacklCE icon in the lower right corner of your 
screen. 



View BlacklCE 
Events 



Opens the BlacklCE user interface to the Events list, which displays information about 
recent intrusions. For more information, see "The Events Tab" on page 40. 



Edit BlacklCE 
Settings... 



Opens the BlacklCE PC Protection user interface to the settings dialog, from which you 
can select one of the configuration tabs. For information about any of the configuration 
tabs, see "Configuration Tabs" on page 47. 



Advanced Firewall 
Settings 



Opens the BlacklCE user interface to the Advanced Firewall Settings window, which 
enables you to customize the IP addresses and ports that BlacklCE blocks or accepts. For 
more information, see "Blocking Intrusions" on page 17. 



Advanced Opens the Advanced Application Protection settings window, where you can control 

Application which applications can run on your system or access a network. For more information, see 

Protection Settings "Protecting Your Computer From Unauthorized Applications" on page 22 or "Protecting 
Your Computer From Unauthorized Communications" on page 26. 



Stop BlacklCE 
Engine 



Turns off the BlacklCE intrusion detection functions. No incoming traffic is analyzed or 
blocked. If the intrusion detection engine is already stopped, this item is replaced with 
Start BlacklCE Engine. For more information, see the BlacklCE PC Protection Getting 
Started Guide. 



Stop BlacklCE 

Application 

Protection 



Turns off the BlacklCE Application Protection feature. BlacklCE does not warn you when 
unauthorized applications start, and no outbound traffic is analyzed or blocked. For more 
information, see "Protecting Your Computer From Unauthorized Applications" on 
page 22. If Application Protection is already turned off, this command is replaced with 
Start BlacklCE Application Protection. 



WWW.ISS.NET 



Starts your browser and points it to the Internet Security Systems web site. 



Exit 



Closes the BlacklCE user interface. This command does not stop the BlacklCE intrusion 
detection engine or application control features. For more information, see the BlacklCE 
PC Protection Getting Started Guide. 
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a 

accepting events 1 9 
adding an entry 66 
addresses 

blocking and accepting 17 
Advanced Application Control Settings window 74 
alerts 

choosing 27, 56, 58 

interpreting 9 

responding to 23-24, 27, 30 
anti-virus 6 

Application Control tab 59 
application file types 75 
Application Protection 6 

application control 22, 59, 73 

communications control 8, 26, 61, 73 

disabling 25 

stopping 24 

vs virus detection 6 
audible alerts 14,56 
auto-blocking 1 6, 48 

b 

Back Trace tab 54 
back tracing 

direct vs. indirect 1 1 

setting up 54 
baseline 6, 22, 26 

creating and updating 22 

managing 24 
blocking 

addresses 1 7 

ports 20 

c 

Cautious protection level 3, 48 
checksum 72 

choosing a protection level 14 
clearing 14 
events 1 4 



evidence logs 32 

packet logs 14,33 
closing BlacklCE 78 
collecting evidence of intrusions 32, 52 
collecting information 

back tracing 1 1 

evidence logs 11,32,52 

packet logs 11,33,50 
columns, customizing 15 
communications control 8, 26, 73 
Communications Control tab 61 
controlling applications 74,81 
controlling network access 8, 26, 61, 73 
conventions, typographical 

in commands vii 

in procedures vii 

in this manual vii 
copying an event 35, 42-43, 65, 79 
Critical events 9, 45 
customizing your firewall 1 7 

d 

data 

collecting 1 1 , 32-33, 50, 52 

deleting 32-33, 79 

printing 78 

searching 79 
deleting information 1 4, 32-33, 42-43 
direct back tracing 1 1 
disabling Application Protection 25 
dll files 23, 75 
drv files 75 

e 

Edit menu 79 
events 

accepting 19,68 

blocking 68 

clearing 14 

deleting 14 

filtering 1 2, 1 4, 80 

finding 79 
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freezing 1 5, 80 

notification 27 
Events tab 40 
Evidence Log tab 52 
evidence logs 11,14 

clearing 14,32 

collecting 32 
exe files 75 



f 



File menu 78 

filtering events 1 2, 1 4, 80 

finding an event 79 

firewall 5, 81 
customizing 17 
modifying an entry 68 

Firewall tab 48 

freezing events 1 5 



help viii 
knowledge base viii 
product documentation viii 
technical support viii 

Help menu 82 

History tab 45 



icons 

firewall 64 

response levels 10 

severity levels 9 
indirect back tracing 1 1 
information 

collecting 11,50,52 

customizing 1 5 

deleting 14,32-33 

filtering 1 2, 1 4, 80 
Informational events 9 
Install Mode 27 
installing BlacklCE v 
Internet file sharing 1 6, 48 
internet service provider 1 7, 36 
intruders 



trusting 1 9 
Intruders tab 43 
Intrusion Detection tab 55 
IP addresses 

blocking and accepting 1 7 



knowledge base viii, 82 

m 

menus 

Edit 79 

File 78 

Help 82 

Tools 81 

View 80 
mode, Attended vs. Unattended 26 
modified applications 8, 23, 59 



n 



Nervous protection level 3, 48 

network access, controlling 8, 26, 61, 73 

network traffic graph 45 

notification of events 27 

Notifications tab 56 



ocx files 75 
online Help 82 
online resources viii 
overlays 1 0 



Packet Log tab 50 
packet logs 11,50 

clearing 14,33 

collecting 33 
Paranoid protection level 3, 48 
ports, blocking 20 
printing information 42, 44, 65, 78 
product documentation viii 
product updates viii 
profile 
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see baseline 1 
Prompts tab 58 
protection level 

choosing 14 

effect on applications 



removing BlacklCE v 
reporting abuse 36 
responding to alerts 30 
response levels 1 □ 



scr files 75 

searching 79 

Serious events 9 

severity levels 9, 80 

stopping 
Application Protection 24 
BlacklCE engine 81 

support viii, 72, 82 

Suspicious events 9, 45 

sys files 75 



u 

Unattended mode 2B 
unblocking an intruder B5 
uninstalling BlacklCE v 
unknown applications 8, 23, 27 
upgrade information viii 

V 

View menu 80 
virus detection B 
visual alerts 14, 5B 
vxd files 75 



w 



wav files 14,56 
windows 

Advanced Application Control Settings 74 



t 

tabs 

Application Control 59 

Back Trace 54 

communications control 61 

Events 40 

Evidence Log 52 

Firewall 48 

History 45 

Intruders 43 

Intrusion Detection 55 

Notifications 56 

Packet Log 50 

Prompts 58 
technical support viii, 72, 82 
Tools menu 81 
trace file decoders 1 2, 32 
traffic graph 45 
trusting an intruder 1 9 
Trusting protection level 3, 48 
typographical conventions vii 
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Internet Security Systems, Inc. Software License Agreement 

THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE PROVISIONS OF THIS 
SOFTWARE LICENSE AGREEMENT ("LICENSE"). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES 
OF THE SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID 
LICENSE FEE. IF THE SOFTWARE WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND 
LICENSE KEYS IN LIEU OF RETURN. 

1 . License - Upon payment of the applicable fees, Internet Security Systems, Inc. ("ISS") grants to you as the only end user ("Licensee") a nonexclusive and 
nontransferable, limited license for the accompanying ISS software product in machine-readable form and the related documentation ("Software") and the 
associated license key for use only on the specific network configuration, for the number and type of devices, and for the time period ("Term") that are specified in 
Licensee's purchase order, as accepted and invoiced by ISS. ISS limits use of Software based upon the number and type of devices upon which it may be 
installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device connected to 
Licensee's network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. Licensee may 
reproduce, install and use the Software on multiple devices, provided that the total number and type are authorized in Licensee's purchase order, as accepted by 
ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Software on devices that could exceed 
the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or disclosure of the license key and 
unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software and the associated license key 
solely for archival and disaster recovery purposes. 

2. Evaluation License - If ISS is providing Licensee with the Software and related documentation on an evaluation trial basis at no cost, such license Term is 30 
days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software for evaluation in a non-production, test environment. 
The following terms of this Section 2 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove the Software from the 
authorized platform and return the Software and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. 
ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software under evaluation. LICENSEE AGREES THAT 
THIS SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED "AS IS " WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT 
LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. IN NO 
EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES 
INCURRED BY LICENSEE IN CONNECTION WITH THE SOFTWARE LICENSED HEREUNDER. LICENSEE'S SOLE AND EXCLUSIVE REMEDY SHALL 
BE TO TERMINATE THIS EVALUATION LICENSE BY WRITTEN NOTICE TO ISS. 

3. Covenants - ISS reserves all intellectual property rights in the Software. Licensee agrees: (i) the Software is owned by ISS and/or its licensors, is a valuable 
trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software from 
unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover 
the source code of the Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS' and its licensors' copyright notices on any copies of the Software; and 
(vi) not to transfer, lease, assign, sublicense, or distribute the Software or make it available for timesharing, service bureau, managed services offering, or on-line 
use. 

4. Support and Maintenance - During the term for which Licensee has paid the applicable support and maintenance fees, ISS will provide software maintenance 
and support services that it makes generally available under its then current Maintenance and Support Policy. Support and maintenance include telephone 
support and electronic delivery to Licensee of error corrections and updates to the Software and documentation. The foregoing updates do not include new 
releases or products that substantially increase functionality and are marketed separately by ISS to its customers in general. 

5. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period 
of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Licensed Software will conform to material operational 
specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software is installed, implemented, and 
operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the 
warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. 
Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software, (ii) modification of the Software, 
(iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If 
Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or, if ISS determines that repair or replacement is 
impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such 
nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM 
JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS, THAT THE 
OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE ERRORS WILL BE CORRECTED. 
LICENSEE UNDERSTANDS AND AGREES THAT LICENSED SOFTWARE IS NO GUARANTEE AGAINST INTRUSIONS, VIRUSES, TROJAN HORSES, 
WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE'S 
NETWORK, OR THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED OR THAT THE PERFORMANCE OF THE LICENSED 
SOFTWARE WILL RENDER LICENSEE'S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 5 ARE 
THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY. 

6. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE IS PROVIDED "AS IS" AND ISS HEREBY 
DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, 
NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF IMPLIED 
WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO LICENSEE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS 
OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, 
AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE. 

7. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software that are granted herein. ISS shall defend and 
indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or 
patent as a result of the use or distribution of a current, unmodified version of the Software; but only if ISS is promptly notified in writing of any such suit or claim, 
and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The 
foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the 
Software. 

8. Limitation of Liability - ISS' ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF 
THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE 
RECEIVED THE SOFTWARE. IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT 
(INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL 
DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, 
LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. 

9. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without 
prior written notice from ISS, at the end of the term of the license, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may 
immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or 
expiration of the License, Licensee shall cease all use of the Software and destroy all copies of the Software and associated documentation. Termination of this 
License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other 
remedies available to it. 

1 0. General Provisions - This License, together with the identification of the Software, pricing and payment terms stated in the applicable Licensee purchase order as 
accepted by ISS constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained 
in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. This License will be governed by the substantive laws 
of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on 
Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not 
affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing 
signed by an authorized officer of ISS. 

1 1 . Notice to United States Government End Users - Licensee acknowledges that any Software furnished under this License is commercial computer software and 
any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, 
display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, 
conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR 
Subsection 227.7202-3 and Clause 252.227-701 5 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 
Barfield Road, Atlanta, GA 30328, USA. 
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12. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, any related technology, or any direct product of either 
except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee 
agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Commerce 
Department's Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the 
United States has embargoed the export of goods, or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents 
and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include 
encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. Please contact ISS' Customer Operations for 
export classification information relating to the Software (customer_ops@iss.net). Licensee understands that the foregoing obligations are U.S. legal 
requirements and agrees that they shall survive any term or termination of this License. 

1 3. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation 
of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of 
the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that 
computer network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and 
use the Software in accordance with all applicable laws, regulations and rules. 

1 4. Disclaimers - Licensee acknowledges that some of the Software is designed to test the security of computer networks and may disclose or create problems in the 
operation of the systems tested. Licensee further acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous 
environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, 
nuclear facilities, or any other applications in which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property 
damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives 
all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom. 

1 5. Confidentiality - "Confidential Information" means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges 
that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party ("Receiving Party") which 
receives Confidential Information of the other party ("Disclosing Party") with respect to any particular portion of the Disclosing Party's Confidential Information 
shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to 
the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of 
disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality 
to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the 
Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely 
and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the 
Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by 
the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the 
Disclosing Party's Confidential Information in the Receiving Party's possession or control and destroy all derivatives and other vestiges of the Disclosing Party's 
Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of 
the Disclosing Party. 

1 6. Compliance - From time to time, ISS may request Licensee to provide a certification that the Licensed Software is being used in accordance with the terms of this 
License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state 
Licensee's compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its 
own expense appoint a nationally recognized independent auditor, to whom Licensee has no reasonable objection, to audit and examine records at Licensee 
offices during normal business hours, solely for the purpose of confirming that Licensee's use of the Licensed Software is in compliance with the terms of this 
License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal 
business operations of Licensee. If such audit should reveal that use of the Licensed Software has been expanded beyond the scope of use and/or the number 
of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring 
Licensee in compliance with its obligations hereunder with respect to its current use of the Licensed Software. In addition to the foregoing, ISS may pursue any 
other rights and remedies it may have at law, in equity or under this License. 

Revised January 9, 2003 
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